Setting up CodeWhisperer Professional with IAM Identity Center - CodeWhisperer

Setting up CodeWhisperer Professional with IAM Identity Center

Delegate IAM Identity Center administration to a non-management account

As a matter of best practices, you should not administer IAM Identity Center from your management account.

Therefore, you should use Delegated administration to designate a non-management account for administering IAM Identity Center.

If you only have one account in your AWS organization, then that is the management account. You should create additional accounts to use for administering IAM Identity Center and CodeWhisperer. You can learn about best practices for creating and maintaining multiple AWS accounts in the AWS Account Management Reference Guide.

After you choose the account that will become your delegated administer account, follow the steps under Register a member account in the IAM Identity Center User Guide.

You do not have to administer CodeWhisperer from the same account that you use to administer IAM Identity Center.

Administration of CodeWhisperer occurs on an account-by-account basis within your Organization.

Warning

For compatibility with CodeWhisperer, you cannot set up IAM Identity Center in an opt-in Region.

Note

In general, the default duration for a session that is authenticated through IAM Identity Center is 8 hours. However, in the case of CodeWhisperer Professional and Amazon Q Developer, the default session lasts 90 days (if you set up IAM Identity Center on April 18, 2024 or later). For more information refer to How to extend the session duration for Amazon Q in the IDE in the IAM Identity Center User Guide.

Assigning CodeWhisperer administration rights

Warning

In this procedure, you are acting as the Organizations administrator, logged into the delegator administrator account. Depending on how you were logged in for the previous procedures, you may need to switch users, accounts, and/or roles before continuing.

The administrator of your CodeWhisperer profile is a special user with the right to change the settings in the CodeWhisperer profile, and to manage the access of, or add, users and groups to CodeWhisperer.

To promote a user to CodeWhisperer administrator, the account administrator uses the following procedures.

Note

This procedure assumes that you already have a user whom you want to promote to CodeWhisperer administrator. If you don't, then create one through the procedures described in Assign users and groups to IAM Identity Center.

  1. Open a browser tab with the access portal URL given to you by the root user, and log in as the account administrator.

  2. Under Multi-account permissions, choose Permission sets.

  3. Choose Create permission set.

  4. Under Permission set type, select Custom permission set.

  5. Choose Next.

  6. Expand the Inline policy window.

  7. Erase the brackets in the box.

  8. Paste the following text into the box:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:GetUserPoolInfo", "sso-directory:DescribeDirectory", "sso:ListApplicationInstances", "sso-directory:ListMembersInGroup", "sso:CreateManagedApplicationInstance" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "pricing:GetProducts" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sso:ListProfileAssociations", "sso:ListProfiles", "sso:GetSharedSsoConfiguration", "sso:ListDirectoryAssociations", "sso:DescribeRegisteredRegions", "sso:GetSsoConfiguration", "sso:GetApplicationInstance", "sso:GetManagedApplicationInstance", "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:GetSSOStatus" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "identitystore:ListUsers", "identitystore:ListGroups" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:CreateGrant", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*", "kms:RetireGrant", "kms:DescribeKey" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codeguru-security:UpdateAccountConfiguration" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codewhisperer:UpdateProfile", "codewhisperer:ListProfiles", "codewhisperer:TagResource", "codewhisperer:UnTagResource", "codewhisperer:ListTagsForResource", "codewhisperer:CreateProfile" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": [ "*" ] } ] }
    Note

    If you are using CodeWhisperer Customizations, then your CodeWhisperer administrator will require additional permissions. See Prerequisites for CodeWhisperer customizations.

  9. Choose Next.

  10. Under Permission set name, enter CodeWhisperer_administrator.

  11. Choose Next.

  12. On the Review and create page, choose Create.

Warning

In this procedure, you are acting as the Organizations administrator, logged into the delegated administrator account. Depending on how you were logged in for the previous procedures, you may need to switch users, accounts, and/or roles before continuing.

  1. Open a browser tab with the access portal URL given to you by the root user, and log in as the account administrator.

  2. From the main console page, choose IAM Identity Center.

  3. In the navigation pane, under Multi-account permissions, choose AWS accounts.

  4. On the AWS accounts page, a tree view list of your organization appears. Select the name of your account.

  5. Choose Assign users or groups.

  6. On the Assign users and groups page, select the Users tab.

  7. Select the checkbox next to name of the user that will become the CodeWhisperer administrator.

  8. Choose Next.

  9. On the Assign permission sets page, select the checkbox next to CodeWhisperer_administrator.

  10. Choose Next.

  11. On the Review and submit assignments page, choose Submit.

Now the CodeWhisperer administrator has the proper access.

The next step is for the CodeWhisperer administrator to authorize a professional developer to use CodeWhisperer Professional through an IDE.