Setting up Amazon Q in VSCode using IAM Identity Center

If you are looking to unlock some of the more powerful features of Amazon Q within VSCode, you need to switch to the Amazon CodeWhisperer Professional Tier. In this post, we show you how you can set this up.

Ricardo Sueiras
Amazon Employee
Published Dec 1, 2023
Last Modified May 15, 2024

Setting up Amazon Q in VSCode using IAM Identity Center

This week at re:Invent, AWS announced a suite of amazing generative AI–powered assistants, including one that compliments Amazon CodeWhisperer and provides a conversational assistant to help you develop, test, document, and many more developer related activities. All good. I am a big fan and user of these kinds of developer productivity tools, so was eager to try this out on my VSCode setup. My colleague Denis put together a quick start video on how you can "get started with Amazon Q in VSCode in three easy steps", using the Builder ID which allows you to try this without the need for having or setting up an AWS Account. A really great and risk free way of checking out how Amazon Q can help you.
Now whilst using your Builder ID is a great way to get started, you will not have access to some of the more advanced capabilities of Amazon Q, specifically Amazon Q feature development (which is invoked using /dev) and the Code Transformation feature (accessed from within Amazon Q via /transform). For that you will need to switch to the Amazon CodeWhisperer Professional Tier, and that is what this post is about. It will walk you through how to set this up.
Note! Throughout this post I will talk about enabling and removing access to Amazon Q. This is only in the context of the Amazon CodeWhisperer Professional Tier. Developers can still enjoy free access to the basic features of Amazon Q by using their Builder ID.
Before proceeding, I make the following assumptions to what you have and what you will need.
  • An AWS Account with Administrator privileges
  • An AWS Account that is integrated with IAM Identity Center - in my specific setup, I am using Keycloak as my Identity Provider (Idp)
  • A version of the AWS Toolkit for VSCode that supports the new Amazon Q features (I am using version v2.0.0)
  • VSCode (I am running version 1.84.2 on my Mac M1)
Important!! You should be aware that following the steps in this blog post, you will incur charges to your AWS bill. If you are just testing this out, make sure you remove those users via the Amazon CodeWhisperer console at the end to reduce the cost.
Assuming this is all good, lets get started.


Before diving into how to set this up, it is worth understanding at a high level what we are going to do. The documentation provides a good overview in these steps, covering how to manage access of Amazon Q within your AWS accounts. One of my first observations when putting this post together is that you configure Amazon Q from the Amazon CodeWhisperer console, and so don't panic if you see that mentioned a lot - you are in the right place!
Amazon CodeWhisperer has the concept of an administrator, who is able to determine who can and cannot access Amazon CodeWhisperer. This can be setup in single or more complex AWS account setups, including where you are using AWS Organisations. I am going to be using a single AWS account that has been setup to use single sign on with IAM Identity Center, and define a single user that I want to give access to Amazon Q.
The approach is:
  • Create a new Permissions set in IAM Identity Center for my Amazon Q / Amazon CodeWhisperer "admins"
  • Create two new groups - one for Amazon Q users, and another for Amazon Q admins (the folk who can add/remove access to Amazon Q)
  • Add a user into the Amazon Q users group (from the list of users managed by IAM Identity Center), and add a user into the Amazon Q Admins group
  • Configure an AWS account (in this case, my single account) to use these Groups, assigning Permission sets to both (For Amazon Q Users I will add ReadOnly access, for Amazon Q Admins, I will add the new Permissions set created for Amazon Q / CodeWhisperer
  • From the Amazon CodeWhisperer console, now assign who I want to give access to (in this case, the Amazon Q Users group)
  • Try and login to Amazon Q from VSCode

Step 1 - Create a new Permissions Set and Group within IAM Identity Center

The first stage is to set up our Admins and Users groups to simplify how we administer access to Amazon Q. To help us we have the very helpful documentation guide, and the page we are specifically interested in is Setting up CodeWhisperer Professional with IAM Identity Center.
We need to create a new Permissions set that we can delegate Amazon Q administrators, and who will have access to add/remove users from the Amazon CodeWhisperer console. We follow the instructions on that page to create the new Permissions set, which in this guide is called "CodeWhisperer_administrator".
Once you have done that, I create two groups, Amazon-Q-Admins, and Amazon-Q-Users. Click on Groups on the left hand side and then Create Groups, creating the group and assigning any users at the same time.
Creating a group for Amazon Q Users
Creating a group for Amazon Q Users
Now that I have my Groups setup, I can assign these groups together with Permissions sets to my AWS Account. For the Amazon-Q-Users, I will assign the ReadOnlyAccess permissions set (you can use what ever permissions set you typically set up), and for the Amazon-Q-Admins, I assign the CodeWhisperer_administrator group.
Assigning Permissions sets to your Amazon Q groups
Assigning Permissions sets to your Amazon Q groups
That is it for this step.

Step 2 - Enable Amazon Q within the Console

From our AWS Account, I now need to enable (or remove) access to Amazon Q for our developers (in this case, those in the Amazon-Q-Users group). I head over to the Amazon CodeWhisperer console, and click on the Settings menu option on the left.
To add users it is as simple as clicking on the Add Groups button, and then selecting the group setup in the previous step (Amazon-Q-Users).
Enabling users to have access to Amazon Q
Enabling users to have access to Amazon Q
That is it, I now have our user (I only defined a single one in this example) enabled for the use of Amazon Q.

Step 3 - Authenticate and use Amazon Q

I am now ready to try this out, and log in from my VSCode.
From the AWS Toolkit icon in VSCode, you will see a number of twisties/sections. One of these will be called "AMAZON Q (PREVIEW)" so click on that to reveal the "SIGN IN TO GET STARTED" link. This will reveal the "Sign in to Get Started" page, and the first panel will be "Amazon Q + CodeWhisperer" like the following screen.
VSCode AWS Toolkit login screen
VSCode AWS Toolkit login screen
From here, I use the "Sign in with Identity Center (SSO)" link, and then in the dialog that pops up, enter the SSO URL and the AWS region where you have your AWS SSO configured. In my case, I have configured AWS Identity Center SSO in eu-west-1, so this is what I configure, and then add my SSO link.
I then do the "login dance" follow a number of steps outlined in the following screenshot. Between steps 2 and 3 you will probably be asked to log in to your identity provider (I was, but if you are already logged in then you might not have to do this).
Amazon Q login flow with IAM Identity Center
Amazon Q login flow with IAM Identity Center
If everything from Steps 1 and 2 was setup correctly, then you should now be logged in, and you can now click on the Amazon Q chat icon in VSCode, hit "/" and see /dev and /transform options available to you. You can see this in the video in the next section.

Watch the video

For those that prefer to watch these sort of things, this is a short video of me setting this up so you can see this for yourselves.


In this short post I showed you how you can set up users to use the advanced features of Amazon Q, by setting them up on the Amazon CodeWhisperer Professional Tier. If you followed along just to try this out, remember to remove any users to avoid additional charges on your AWS bill.


As with all blog posts, what you see is the nice shiny, working stuff. But behind all of that, is typically head scratching errors and problems that come along. So here I want to share some of the things I found that took me a while to figure out.
Configuring Amazon Q access
If you see the following error in the AWS Toolkit logs, then the most likely reason is that you have either not configured the right users/groups within the Amazon CodeWhisperer console settings, or you have not set up the permissions within IAM Identity Center appropriately.
2023-11-30 12:37:39 [ERROR]: API response (oidc.eu-west-1.amazonaws.com /token): {
name: 'AccessDeniedException',
'$fault': 'client',
'$metadata': {
httpStatusCode: 400,
requestId: 'f60ba750-xxxx-4axx-xx30-xxxxb0ecf504',
extendedRequestId: undefined,
cfId: undefined
error: 'access_denied',
error_description: 'Access denied',
message: 'UnknownError'
2023-11-30 12:37:39 [ERROR]: webviewId="authWebview": Error: Webview error
`` -> Error: Webview backend command failed: "startCWIdentityCenterSetup()"
`` -> Error: Failed to connect to IAM Identity Center [FailedToConnect]
`` -> AccessDeniedException: UnknownError
The main error I came across when putting this post together was that every time I went to authenticate, I would get an error within VSCode that looked like this:
VSCode Login Error
VSCode Login Error
Not particularly helpful, but looking at CloudWatch Trail and setting the AWS Toolkit for VSCode logging to DEBUG, provided me with some clues as to where the problems lied.
The error within VSCode showed
2023-11-30 09:24:10 [ERROR]: API response (oidc.eu-west-1.amazonaws.com /token): {
name: 'InvalidGrantException',
'$fault': 'client',
'$metadata': {
httpStatusCode: 400,
requestId: 'xxxxxxxxx',
extendedRequestId: undefined,
cfId: undefined
error: 'invalid_grant',
error_description: 'Invalid grant provided',
message: 'UnknownError'
It turned out that something had got messed up in my local ~/.aws/sso directory, and the fix was pretty simple. I just deleted this directory, and then I was able to resolve the issues. Why did I do this? When exploring the logs output by the toolkit, I saw occasionaly the following lines
2023-11-30 10:19:54 [DEBUG]: SSO token cache: read failed (file not found) key: https://xxxxx-uk.awsapps.com/start
and other related messages. Sometimes you have to play a hunch, and given that these are just cached files that I could regenerated, it seemed like a simple thing to try.

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

1 Comment