How to fixed an AccessDeniedException error when signing into Amazon Q Developer

How to fixed an AccessDeniedException error when signing into Amazon Q Developer

If you are using IAM Identity Centre to sign into Amazon Q Developer, this post looks at how I fixed one error that came up

Ricardo Sueiras
Amazon Employee
Published May 2, 2024
Amazon CodeWhisperer is now Amazon Q Developer (30th April). I was excited to try the new features, so after I first updated my VSCode plugins to the latest versions, and then trying to re-authenticate with my IAM Identity Centre SSO User (I shared a previous post on how I set this up in, Setting up Amazon Q in VSCode using IAM Identity Centre).
You will notice the wording has changed, and that we now have "Use For Free" which is where you can use a Builder ID to use Amazon Q Developer without the need for an AWS Account, or the "Use with Pro licence" which is for folk who are going to log in with IAM Identity Centre accounts.
The Amazon Q Developer authentication flow
When I went to try and authenticate (Pro Licence), authentication failed and I received the following error (in the Amazon Q Logs option from the OUTPUT menu)
2024-04-30 14:55:45.915 [info] current client registration id=undefined,
expires at undefined,
key = d3c5a6e4-4713-47d0-80cd-860a956391e7
2024-04-30 14:56:04.324 [error] API response (oidc.eu-west-1.amazonaws.com /token): {
name: 'AccessDeniedException',
'$fault': 'client',
'$metadata': {
httpStatusCode: 400,
requestId: '34ca1130-5b53-4953-b277-81085c28d61a',
extendedRequestId: undefined,
cfId: undefined
error: 'access_denied',
error_description: 'Access denied',
message: 'UnknownError'
2024-04-30 14:56:04.351 [error] webviewId="aws.amazonq.AmazonCommonAuth": Error: Webview error
-> Error: Webview backend command failed: "startCodeWhispererEnterpriseSetup()"
-> Error: Failed to connect to IAM Identity Center [FailedToConnect]
-> AccessDeniedException: UnknownError
I did two things to fix my problem, so sharing this in case anyone else runs into this error.
The first was to update my Permissions Set within IAM Identity Centre, for the authenticated users that I had provided access to Amazon Q Developer to. The Amazon Q Developer documentation shares the various policies, and I just deleted the old one and replaced it with this one.
When I completed this, I was still getting errors. The next thing I did was from the Amazon Q Developer Dashboard within the AWS Console, was to remove the Amazon Identity Centre group that is attached to the permissions set, and then add it back again. Once I did that, I was able to get back into using Amazon Q Developer, Pro Licence within my VSCode.
Check out the short video below of this in action.
I hope this helps folk who might be running into this same error. Stay tuned for more adventures in Amazon Q Developer, and as always, I would love to hear your stories and what you are doing with Amazon Q Developer. Find more ways that Amazon Q Developer can help you by checking out the Developer Centre resources.

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.