AWS Machine Learning Blog

Index your Confluence content using the new Confluence connector V2 for Amazon Kendra

Amazon Kendra is a highly accurate and simple-to-use intelligent search service powered by machine learning (ML). Amazon Kendra offers a suite of data source connectors to simplify the process of ingesting and indexing your content, wherever it resides.

Valuable data in organizations is stored in both structured and unstructured repositories. An enterprise search solution should be able to pull together data across several structured and unstructured repositories to index and search on.

One such unstructured data repository is Confluence. Confluence is a team workspace that gives knowledge worker teams a place to create, capture, and collaborate on any project or idea. Team spaces help teams structure, organize, and share work, so every team member has visibility into institutional knowledge and access to the information they need.

There are two Confluence offerings:

  • Cloud – This is offered as a software as a service (SaaS) product. It’s always on, continuously updated, and highly secure.
  • Data Center (self-managed) – Here, you host Confluence on your infrastructure, which could be on premises or the cloud. This allows you to keep data within your network and manage it yourself.

We’re excited to announce that you can now use the new Amazon Kendra connector V2 for Confluence to search information stored in your Confluence account both on the cloud and your data center. In this post, we show how to index information stored in Confluence and use the Amazon Kendra intelligent search function. In addition, the ML-powered intelligent search can accurately find information from unstructured documents having natural language narrative content, for which keyword search is not very effective.

What’s new for this version

This version supports OAuth 2.0 authentication in addition to basic authentication for the Cloud edition. For the Data Center (on-premises) edition, we have added OAuth2 in addition to basic authentication and personal access tokens for showing search results based on user access rights. You can benefit from the following features:

  • You can now crawl comments in addition to spaces, pages, blogs, and attachments
  • You now have fine-grained choices for your sync scope—you can specify pages, blogs, comments, and attachments
  • You can choose to import identities (or not)
  • This version offers regex support for choosing entity titles as well as file types
  • You have the choice of multiple Sync modes

Solution overview

With Amazon Kendra, you can configure multiple data sources to provide a central place to search across your document repository. For our solution, we demonstrate how to index a Confluence repository using the Amazon Kendra connector for Confluence. The solution consists of the following steps:

  1. Choose an authentication mechanism.
  2. Configure an app on Confluence and get the connection details.
  3. Store the details in AWS Secrets Manager.
  4. Create a Confluence data source V2 via the Amazon Kendra console.
  5. Index the data in the Confluence repository.
  6. Run a sample query to test the solution.

Prerequisites

To try out the Amazon Kendra connector for Confluence, you need the following:

Choose an authentication mechanism

Choose your preferred authentication method:

  • Basic – This works on both the Cloud and Data Center editions. You need a user ID and a password to configure this method.
  • Personal access token – This option only works for the Data Center edition.
  • OAuth2 – This is more involved and works for both Cloud and Data Center editions.

Gather authentication details

In this section, we show the steps to gather your authentication details depending on your authentication method.

Basic authentication

For basic authentication with the Data Center edition, all you need is your login and password. Make sure your login has privileges to gather all content.

For Cloud edition, your user ID serves as your user login. For your password, you need to get a token. Complete the following steps:

  1. Log in to https://id.atlassian.com/manage-profile/security/api-tokens and choose Create API token.

  1. For Label, enter a name for the token.
  2. Choose Create.

  1. Copy the value and save it to use as your password.

Personal access token

This authentication method works for on premises (Data Center) only. Complete the following steps to acquire authentication details:

  1. Log in to your Confluence URL using the user ID and password that you want Amazon Kendra to use while retrieving content.
  2. Choose the profile icon and choose Settings.

  1. Choose Personal Access Tokens in the navigation pane, then choose Create token.

create token

  1. For Token name, enter a name.
  2. For Expiry date, deselect Automatic expiry.
  3. Choose Create.

  1. Copy the token and save it in a safe place.

To configure Secrets Manager, we use the login URL and this value.

OAuth2 authentication for Confluence Cloud edition

This authentication method follows the full OAuth2.0 (3LO) documentation from Confluence. We first create and configure an app on Confluence and enable it for OAuth2. The process is slightly different for the Cloud and Data Center editions. We then get an authorization token and exchange this for an access token. Finally, we get the client ID, client secret, and client code. Complete the following steps:

  1. Log in to the Confluence app.
  2. Navigate to https://developer.atlassian.com/.
  3. Next to My apps, choose Create and choose OAuth2 Integration.

  1. For Name, enter a name.
  2. Choose Create.

  1. Choose Authorization in the navigation pane.
  2. Choose Add next to your authorization type.

  1. For Callback URL, enter the URL you use to log in to Confluence.
  2. Choose Save changes.

save changess

  1. Under Authorization URL generator, choose Add APIs.

add apis

  1. Next to User identity API, choose Add, then choose Configure.

add permissions

  1. Choose Edit Scopes to configure read scopes for the app.
  2. Select View active user profile and View user profiles.

edit scopes

  1. Choose Permissions in the navigation pane.
  2. Next to Confluence API, choose Add, then choose Configure.
  3. On the Classic scopes tab, choose Edit Scopes.
  4. Select all read, search, and download scopes.
  5. Choose Save.

grannular scopes

  1. On the Granular scopes tab, choose Edit Scopes.
  2. Search for read and select all the scopes found.
  3. Choose Save.

scope choice confirmation

  1. Choose Authorization in the navigation pane.
  2. Next to your authorization type, choose Configure.

configure authorization type

You should see three URLs listed.

generated urls

  1. Copy the code for Granular Confluence API authorization URL.

The following is example code:

https://auth.atlassian.com/authorize?
audience=api.atlassian.com
&client_id=YOUR_CLIENT_ID
&scope=REQUESTED_SCOPE%20REQUESTED_SCOPE_TWO

&redirect_uri=https://YOUR_APP_CALLBACK_URL
&state=YOUR_USER_BOUND_VALUE
&response_type=code
&prompt=consent
  1. If you want to generate a refresh token so that you don’t have to repeat this process, add offline_access (or %20offline_access) to the end of all the scopes in the URL (for example, &scope=REQUESTED_SCOPE%20REQUESTED_SCOPE_TWO%20offline_access).
  2. If you’re okay generating a new token each time, just enter the URL in your browser.
  3. Choose Accept.

choose accept

You’re redirected to your Confluence home page.

  1. Inspect the browser URL and locate code=xxxxx.
  2. Copy this code and save it.

This is the authorization code that we use to exchange with the access token.

copy authorization code

  1. Return to the Atlassian developer console and choose Settings in the navigation pane.
  2. Copy the values of the client ID and secret ID and save them.

We need these values to make a call to exchange the authorization token with the access token.

postman utility

Next, we use the Postman utility to post the authorization code to get the access token. You can use alternate tools like curl to do this as well.

  1. The URL to post the authorization code is https://auth.atlassian.com/oauth/token.
  2. The JSON body to post is as follows:
    {"grant_type": "authorization_code",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "code": "YOUR_AUTHORIZATION_CODE",
    "redirect_uri": "https://YOUR_APP_CALLBACK_URL"}

The grant_type parameter is hard-coded. We collected the values for client_id and client_secret in a previous step. The value for code is the authorization code we collected earlier.

A successful response will return the access token. If you added offline access to the URL earlier, you also get a refresh token.

return response with access token

  1. Save the access token to use when setting up Secrets Manager.

If you’re generating a new token from the refresh token, the current token is valid only for 1 hour. If you need to get a new token, you can start all over again. However, if you have the refresh token, as before, use Postman to post to the following URL: https://auth.atlassian.com/oauth/token. Use the following JSON format for the body of the token:

{"grant_type": "refresh_token",
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET",
"refresh_token": "YOUR_REFRESH_TOKEN"}

The call will return a new access token

new access token

OAuth2 authentication for Confluence Data Center edition

If using the Data Center edition with OAuth2 authentication, complete the following steps:

  1. Log in to Confluence Data Center edition.
  2. Choose the gear icon, then choose General configuration.
  3. In the navigation pane, choose Application links, then choose Create link.
  4. In the Create link pop-up window, select External application and Incoming, then choose Continue.
  5. For Name, enter a name.
  6. For Redirect URL, enter https://httpbin.org/.
  7. Choose Save.
  8. Copy and save the values for the client ID and client secret.
  9. On a separate browser tab, open the URL https://example-app.com/pkce.
  10. Choose Generate Random String and Calculate Hash.
  11. Copy the value under Code Challenge.

  12. Return to your original tab.
  13. Use the following URL to get the authorization code:
    https://<confluence url>/rest/oauth2/latest/authorize
    ?client_id=CLIENT_ID
    &redirect_uri=REDIRECT_URI
    &response_type=code
    &scope=SCOPE
    &code_challenge=CODE_CHALLENGE
    &code_challenge_method=S256

Use the client ID you copied earlier, and https://httpbin.org for the redirect URI. For CODE_CHALLENGE, enter the code you copied earlier.

  1. Choose Allow.

You’re redirected to httpbin.org.

  1. Save the code to use in the next step.

  1. To get the access token and refresh token, use a tool such as curl or Postman to post the following values to https://<your confluence URL>/rest/oauth2/latest/token:
    grant_type: authorization_code
    client_id: YOUR_CLIENT_ID
    client_secret: YOUR_CLIENT_SECRET
    code: YOUR_AUTHORIZATION_CODE
    code_verifier: CODE_VERIFIER
    redirect_uri: YOUR_REDIRECT_URL

Use the client ID, client secret, and authorization code you saved earlier. For CODE_VERIFIER, enter the value from when you generated the code challenge.

  1. Copy the access token and refresh token to use later

copy access and refresh tokens

The access token and refresh token are valid only for 1 hour. To refresh the token, post the following code to the same URL to get new values:

grant_type: refresh_token
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
refresh_token: REFRESH_TOKEN
redirect_uri: YOUR_REDIRECT_URL

The new tokens are valid for 1 hour.

new tokens

Store Confluence credentials in Secrets Manager

To store your Confluence credentials in Secrets Manager, compete the following steps:

  1. On the Secrets Manager console, choose Store a new secret.
  2. Select Other type of secret.

other type

  1. Depending on the type of secret, enter the key-values as follows:
    • For Confluence Cloud basic authentication, enter the following key-value pairs (note that the password is not the login password, but the token you created earlier):
      "username" : "<your login username>",
      
      "password" : "<your token value>"
    • For Confluence Cloud OAuth authentication, enter the following key-value pairs:
      "confluenceAppKey" : “<your clientid>”
      
      "confluenceAppSecret" : “<your client Secret>”
      
      "confluenceAccessToken" : “<your access token>”
      
      "confluenceRefreshToken" : “<your refresh token>”
    • For Confluence Data Center basic authentication, enter the following key-value pairs:
      "username" : "<login username>"
      
      "password" : "<login password>"
    • For Confluence Data Center personal access token authentication, enter the following key-value pairs:
      "patToken" :"<your personal access token>"
    • For Confluence Data Center OAuth authentication, enter the following key-value pairs:
      "confluenceAppKey" : "<your client id>"
      
      "confluenceAppSecret" : “<your Client Secret>”
      
      "confluenceAccessToken" : “<your Access Token>"
      
      "confluenceRefreshToken" : “<your refresh token>”
  1. Choose Next.

choose next

  1. For Secret name, enter a name (for example, AmazonKendra-my-confluence-secret).
  2. Enter an optional description.
  3. Choose Next.

configure secret

  1. In the Configure rotation section, keep all settings at their defaults and choose Next.

configure rotation

  1. On the Review page, choose Store.

Configure the Amazon Kendra connector for Confluence

To configure the Amazon Kendra connector, complete the following steps:

  1. On the Amazon Kendra console, choose Create an Index.

create an index

  1. For Index name, enter a name for the index (for example, my-confluence-index).
  2. Enter an optional description.
  3. For Role name, enter an IAM role name.
  4. Configure optional encryption settings and tags.
  5. Choose Next.

specify index details

  1. In the Configure user access control section, leave the settings at their defaults and choose Next.

configure user access control

  1. In the Specify provisioning section, select Developer edition and choose Next.

specify provisioning

  1. On the review page, choose Create.

This creates and propagates the IAM role and then creates the Amazon Kendra index, which can take up to 30 minutes.

index created

Create a Confluence data source

Complete the following steps to create your data source:

  1. On the Amazon Kendra console, choose Data sources in the navigation pane.
  2. Under Confluence connector V2.0, choose Add connector.

.

  1. For Data source name, enter a name (for example, my-Confluence-data-source).
  2. Enter an optional description.
  3. Choose Next.

specify data source details

  1. Choose either Confluence Cloud or Confluence Server depending on your data source.
  2. For Authentication, choose your authentication option.
  3. Select Identity crawler is on.
  4. For IAM role¸ choose Create a new role.
  5. For Role name, enter a name (for example, AmazonKendra-my-confluence-datasource-role).
  6. Choose Next.

define access and security

For Confluence Data Center and Cloud editions, we can add additional optional information (not shown) like the VPC. For Data Center edition only, we can add additional information for the web proxy. There is also an additional authentication option if using a personal access token that is valid only for Data Center and not Cloud edition.

  1. For Sync scope, select all the content to sync.
  2. For Sync mode, select Full sync.
  3. For Frequency, choose Run on demand.
  4. Choose Next.

configure sync settings

  1. Optionally, you can set mapping fields.

Mapping fields is a useful exercise where you can substitute field names to values that are user-friendly and fit in your organization’s vocabulary.

  1. For this post, keep all defaults and choose Next.

set field mappings

  1. Review the settings and choose Add data source.
  2. To sync the data source, choose Sync now.

sync data source

A banner message appears when the sync is complete.

Test the solution

Now that you have ingested the content from your Confluence account into your Amazon Kendra index, you can test some queries. For the purposes of our test, we have created a Confluence website with two teams: team1 with the member Analyst1 and team2 with the member Analyst2.

  1. On the Amazon Kendra console, navigate to your index and choose Search indexed content.
  2. Enter a sample search query and review your search results (your results will vary based on the contents of your account).

simple search

The Confluence connector also crawls local identity information from Confluence. You can use this feature to narrow down your query by user. Confluence offers comprehensive visibility options. Users can choose their content to be seen by other users, at a space level, or by groups. When you filter your searches by users, the query returns only those documents that the user has access to at the time of ingestion.

  1. To use this feature, expand Test query with user name or groups and choose Apply user name or groups.
  2. Enter the user name of your user and choose Apply.

Note that for Confluence Data Center edition, the user name is the email ID.

apply user name or groups

Rerun your search query.

This brings you a filtered set of results. Notice we bring back just 62 results.

filtered resultw

We now go back and restrict Bob Straham to just be able to access his workspace and run the search again.

bob's results

Notice that we get just a subset of the results because the search is restricted to just Bob’s content.

When fronting Amazon Kendra with an application such as an application built using Experience Builder, you can pass the user identity (in the form of the email ID for Cloud edition or user name for Data Center edition) to Amazon Kendra to ensure that each user only sees content specific to their user ID. Alternately, you can use AWS IAM Identity Center (successor to AWS Single Sign-On) to control user context being passed to Amazon Kendra to limit queries by user.

Congratulations! You have successfully used Amazon Kendra to surface answers and insights based on the content indexed from your Confluence account.

Clean up

To avoid incurring future costs, clean up the resources you created as part of this solution. If you created a new Amazon Kendra index while testing this solution, delete it. If you only added a new data source using the Amazon Kendra connector for Confluence V2, delete that data source.

Conclusion

With the new Confluence connector V2 for Amazon Kendra, organizations can tap into the repository of information stored in their account securely using intelligent search powered by Amazon Kendra.

To learn about these possibilities and more, refer to the Amazon Kendra Developer Guide. For more information on how you can create, modify, or delete metadata and content when ingesting your data from Confluence, refer to Enriching your documents during ingestion and Enrich your content and metadata to enhance your search experience with custom document enrichment in Amazon Kendra.


About the author

Ashish Lagwankar is a Senior Enterprise Solutions Architect at AWS. His core interests include AI/ML, serverless, and container technologies. Ashish is based in the Boston, MA, area and enjoys reading, outdoors, and spending time with his family.