Setting up Amazon Q in VSCode using IAM Identity Center
If you are looking to unlock some of the more powerful features of Amazon Q within VSCode, you need to switch to the Amazon CodeWhisperer Professional Tier. In this post, we show you how you can set this up.
Note! Throughout this post I will talk about enabling and removing access to Amazon Q. This is only in the context of the Amazon CodeWhisperer Professional Tier. Developers can still enjoy free access to the basic features of Amazon Q by using their Builder ID.
- An AWS Account with Administrator privileges
- An AWS Account that is integrated with IAM Identity Center - in my specific setup, I am using Keycloak as my Identity Provider (Idp)
- A version of the AWS Toolkit for VSCode that supports the new Amazon Q features (I am using version v2.0.0)
- VSCode (I am running version 1.84.2 on my Mac M1)
Important!! You should be aware that following the steps in this blog post, you will incur charges to your AWS bill. If you are just testing this out, make sure you remove those users via the Amazon CodeWhisperer console at the end to reduce the cost.
- Create a new Permissions set in IAM Identity Center for my Amazon Q / Amazon CodeWhisperer "admins"
- Create two new groups - one for Amazon Q users, and another for Amazon Q admins (the folk who can add/remove access to Amazon Q)
- Add a user into the Amazon Q users group (from the list of users managed by IAM Identity Center), and add a user into the Amazon Q Admins group
- Configure an AWS account (in this case, my single account) to use these Groups, assigning Permission sets to both (For Amazon Q Users I will add ReadOnly access, for Amazon Q Admins, I will add the new Permissions set created for Amazon Q / CodeWhisperer
- From the Amazon CodeWhisperer console, now assign who I want to give access to (in this case, the Amazon Q Users group)
- Try and login to Amazon Q from VSCode
2023-11-30 12:37:39 [ERROR]: API response (oidc.eu-west-1.amazonaws.com /token): {
name: 'AccessDeniedException',
'$fault': 'client',
'$metadata': {
httpStatusCode: 400,
requestId: 'f60ba750-xxxx-4axx-xx30-xxxxb0ecf504',
extendedRequestId: undefined,
cfId: undefined
},
error: 'access_denied',
error_description: 'Access denied',
message: 'UnknownError'
}
2023-11-30 12:37:39 [ERROR]: webviewId="authWebview": Error: Webview error
`` -> Error: Webview backend command failed: "startCWIdentityCenterSetup()"
`` -> Error: Failed to connect to IAM Identity Center [FailedToConnect]
`` -> AccessDeniedException: UnknownError
2023-11-30 09:24:10 [ERROR]: API response (oidc.eu-west-1.amazonaws.com /token): {
name: 'InvalidGrantException',
'$fault': 'client',
'$metadata': {
httpStatusCode: 400,
requestId: 'xxxxxxxxx',
extendedRequestId: undefined,
cfId: undefined
},
error: 'invalid_grant',
error_description: 'Invalid grant provided',
message: 'UnknownError'
}
2023-11-30 10:19:54 [DEBUG]: SSO token cache: read failed (file not found) key: https://xxxxx-uk.awsapps.com/start
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.