Setting up CodeWhisperer Professional with AWS Organizations administration - CodeWhisperer

CodeWhisperer's features are becoming a part of Amazon Q Developer. Learn more

Setting up CodeWhisperer Professional with AWS Organizations administration

The root user comes built-in with your AWS account

The root user is the user that comes with your account. The root user has access to all services and account configurations.

Because the root user is so powerful, it is a best practice to use it as seldom as possible. However, one useful function of the root user is to create a powerful administrative user.

In this case, we will use the root user to create the Organizations administrator.

The root user creates the Organizations administrator

Permission sets are stored in IAM Identity Center and define the level of access that users and groups have to an AWS account. Perform the following steps to create a permission set that grants administrative permissions.

  1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

  2. Open the IAM Identity Center console.

  3. If this is the first time you're using IAM Identity Center, choose Enable. Then choose Create AWS organization. If you have previously enabled IAM Identity Center, then you can skip this step.

  4. In the IAM Identity Center navigation pane, under Multi-account permissions, choose Permission sets.

  5. Choose Create permission set.

  6. On the Select permission set type page, keep the default settings and choose Next. The default settings grant full access to AWS services and resources using the AdministratorAccess predefined permission set.


    The predefined AdministratorAccess permission set uses the AdministratorAccess AWS managed policy.

  7. On the Specify permission set details page, keep the default settings and choose Next. The default setting limits your session to one hour.

  8. On the Review and create page, do the following:

    1. Review the permission set type and confirm that it is AdministratorAccess.

    2. Review the AWS managed policy and confirm that it is AdministratorAccess.

    3. Choose Create.

The root user assigns the Organizations administrator special permissions related to CodeWhisperer

In this section, you will add an inline policy to the permission set that you just created. This policy will allow the IAM Identity Center administrator to create and remove instances of the CodeWhisperer application.

  1. In IAM Identity Center, from the left nav, under Multi-account permissions, choose Permission sets.

  2. Choose the AdministratorAccess permission set that you created in the previous section.

  3. Under Inline policy, choose Edit.

  4. Delete the code in the code window, and paste this in:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "sso:CreateManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "codewhisperer:CreateProfile", "codewhisperer:DeleteProfile" ], "Resource": [ "*" ] } ] }
  5. At the bottom of the page, choose Save changes.

The root user assigns the Organizations administrator permission set to a user

In the last section, you created the AdministratorAccess permission set. Now you must assign that permission set to a user.

  1. In the the IAM Identity Center console, on the AWS accounts page, a tree view list of your organization appears. Select the check box next to the AWS account to which you want to assign administrative access. If you have multiple accounts in your organization, select the check box next to the management account.

  2. Choose Assign users or groups.

  3. If necessary, select the Users tab.

  4. Choose Create users. A new browser tab will open with the Users page.

  5. Choose Add user.

  6. On the Specify user details page, fill out the fields with information about the user who will be your account administrator. An example username might be account_admin.

    Then choose Next.

  7. On the Add user to groups page, add this user to a group if you like, and then choose Next.

  8. On the Review and add user page, review the information that you have entered, and select Add user.

  9. If you chose to use a one-time password, then a pop-up window will display your one-time password.

    Copy this password to a secure location on your local computer.

    Choose Close.

  10. Return to the previous browser tab. with the Assign users and groups to "AWS-account-name" at the top of the page.

  11. Choose the refresh button or refresh the browser tab. The user you recently created should appear in the list.

  12. Select the checkbox next to the name of the user who will become the account administrator.

  13. Choose Next.

  14. On the Assign permission sets to "AWS-account-name" page, under Permission sets, select the AdministratorAccess permission set.

  15. Choose Next.

  16. On the Review and submit assignments to "AWS-account-name" page, choose Submit.


    The user assignment process might take a few minutes to complete. Leave this page open until the process successfully completes.

  17. While you're still in the IAM Identity Center, from the navigation bar on the left, choose Dashboard.

  18. From the Settings summary on the right side of the page, copy the AWS access portal URL.

    This URL will be used by the account administrator and the CodeWhisperer administrator when they log in to IAM Identity Center.

    It will also be used by the CodeWhisperer Professional developer when they authenticate through VS Code or JetBrains. In that context, it is called the Start URL, as discussed in Getting started with CodeWhisperer in VS Code and JetBrains.