- Set up GitLab Duo with Amazon Q
- Add the Amazon Q user to your project
- Turn off GitLab Duo with Amazon Q
Set up GitLab Duo with Amazon Q
- Introduced as an experiment in GitLab 17.7 with a flag named
amazon_q_integration
. Disabled by default.
You can use GitLab Duo with Amazon Q to perform a variety of tasks, from creating merge requests and adding test coverage to reviewing changes for security and quality.
Set up GitLab Duo with Amazon Q
To set up GitLab Duo with Amazon Q, you must:
- Complete the prerequisites
- Create an identity provider
- Create an IAM role
- Enter the ARN in GitLab and enable Amazon Q
- Add the Amazon Q user to your project
Prerequisites
- You must have a self-managed GitLab instance:
- With an HTTPS URL that can be accessed by Amazon Q (the SSL certificate must not be self-signed). For more details about SSL, see Configure SSL for a Linux package installation.
- With an Ultimate subscription that is synchronized with GitLab. (No trial access.)
- With the
amazon_q_integration
feature flag enabled.
- GitLab Duo features must be turned on. (Experimental and beta features are off by default.)
Create an IAM identity provider
Start by creating an IAM identity provider.
First, you need the some values from GitLab:
- Sign in to GitLab.
- On the left sidebar, at the bottom, select Admin.
- Select Settings > General.
- Expand Configure GitLab Duo with Amazon Q.
- Under step 1, copy the provider URL and audience. You will need them in the next step.
Now, create an AWS identity provider:
- Sign in to the AWS IAM console.
- Select Access Management > Identity providers.
- Select Add provider.
- For Provider type, select OpenID Connect.
- For Provider URL, enter the value from GitLab.
- For Audience, enter the value from GitLab.
- Select Add provider.
Create an IAM role
Next, you must create an IAM role that trusts the IAM identity provider and can access Amazon Q.
- In the AWS IAM console, select Access Management > Roles > Create role.
- Select Web identity.
- For Web identity, select the provider URL you entered earlier.
- For Audience, select the audience value you entered earlier.
- Skip Permissions policies by selecting Next. You will create an inline policy later.
-
Ensure the trust policy is correct. It should look like this:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRoleWithWebIdentity", "Principal": { "Federated": "arn:aws:iam::<AWS_Account_ID>:oidc-provider/auth.token.gitlab.com/cc/oidc/<Instance_ID>" }, "Condition": { "StringEquals": { "auth.token.gitlab.com/cc/oidc/<Instance_ID>": "gitlab-cc-<Instance_ID>" }, } } ] }
- Name the role, for example
QDeveloperAccess
, and select Create role.
Now edit the role and add the policy:
- Find the role that you just created and select it.
-
Change the session time to 12 hours. The
AssumeRoleWithWebIdentity
will fail in the AI Gateway if the session is not set to 12 hours or more.- In the Roles search field, enter the name of your IAM role and then choose the role name.
- In Summary, choose Edit to edit the session duration.
- Choose the Maximum session duration dropdown menu, and then choose 12 hours.
- Choose Save changes.
- Select Permissions > Add permissions > Create inline policy.
-
Select JSON and paste the following in the editor:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GitLabDuoPermissions", "Effect": "Allow", "Action": [ "q:SendEvent", "q:CreateOAuthAppConnection", "q:CreateAuthGrant", "q:UpdateAuthGrant", "q:UpdateOAuthAppConnection" ], "Resource": "*" } ] }
- Select Actions > Optimize for readability to make AWS format and parse the JSON.
- Select Next.
- Name the policy
gitlab-duo-amazon-q-policy
and select Create policy. -
Copy the ARN listed on the page. It will look similar to this:
arn:aws:iam::123456789:role/QDeveloperAccess
Enter the ARN in GitLab and enable Amazon Q
Now, enter the ARN into GitLab and determine which groups and projects can access the feature.
Prerequisites:
- You must be a GitLab administrator.
- Sign in to GitLab.
- On the left sidebar, at the bottom, select Admin.
- Select Settings > General.
- Expand Configure GitLab Duo with Amazon Q.
- Select View configuration setup.
- Under IAM role’s ARN, paste the ARN.
- To determine which groups and projects can use GitLab Duo with Amazon Q, choose an option:
- To turn it on for the instance, but let groups and projects turn it off, select On by default.
- To turn it off for the instance, but let groups and projects turn it on, select Off by default.
- To turn it off for the instance, and to prevent groups or projects from ever turning it on, select Always off.
- Select Save changes.
When you save, an API should contact the AI Gateway to create an OAuth application on Amazon Q.
To confirm that it was successful:
- In the Amazon CloudWatch console log, check for a
204
status code. For more information, see What is Amazon CloudWatch? - In GitLab, a notification that says
Amazon Q settings have been saved
is displayed. - In GitLab, on the left sidebar, select Applications. The Amazon Q OAuth application is displayed.
Add the Amazon Q user to your project
Now add the Amazon Q service account user as a member of your project.
- In GitLab, on the left sidebar, select Search or go to and find your project.
- Select Manage > Members.
- In the upper-right corner, select Invite members.
- For Username, name, or email address, select Amazon Q Service.
- For Select a role, select Developer.
- Select Invite.
Configure the AI gateway
Now configure your AI gateway.
-
On your GitLab instance, in
/etc/gitlab/gitlab.rb
, in production mode, yourgitlab_rails['env']
configuration should look like:gitlab_rails['env'] = { "AI_GATEWAY_URL" => "https://ai-gateway-panda.runway.gitlab.net" }
Be sure that
GITLAB_LICENSE_MODE
,CUSTOMER_PORTAL_URL
, andCLOUD_CONNECTOR_SELF_SIGN_TOKENS
are NOT set.For staging, your
/etc/gitlab/gitlab.rb
should have:gitlab_rails['env'] = { "GITLAB_LICENSE_MODE" => "test", "CUSTOMER_PORTAL_URL" => "https://customers.staging.gitlab.com", "AI_GATEWAY_URL" => "https://ai-gateway-panda.staging.runway.gitlab.net" }
-
Run
gitlab-ctl reconfigure
for these changes to take effect.
Turn off GitLab Duo with Amazon Q
You can turn off GitLab Duo with Amazon Q for the instance, group, or project.
Turn off for the instance
Prerequisites:
- You must be an administrator.
To turn off GitLab Duo with Amazon Q for the instance:
- On the left sidebar, at the bottom, select Admin.
- Select Settings > General.
- Expand Amazon Q.
- Select View configuration setup.
- Select Always off.
- Select Save changes.
Turn off for a group
Prerequisites:
- You must have the Owner role for a group.
To turn off GitLab Duo with Amazon Q for a group:
- On the left sidebar, select Search or go to and find your group.
- Select Settings > General.
- Expand Amazon Q.
- Choose an option:
- To turn it off for the group, but let other groups or projects turn it on, select Off by default.
- To turn if off for the group, and to prevent other groups or projects from turning it on, select Always off.
- Select Save changes.
Turn off for a project
Prerequisites:
- You must have the Owner role for a project.
To turn off GitLab Duo with Amazon Q for a project:
- On the left sidebar, select Search or go to and find your group.
- Select Settings > General.
- Under Amazon Q, turn the toggle off.
- Select Save changes.