Amazon Q Developer Kiro subscription failing with CScoreAccessDenied - "Your account is not authorized to make this call"

Question

I am unable to subscribe users to kiro in my AWS Organization management account. When attempting to add users through the console. I have kiro startup credits.

I consistently encounter the following error:

> **CScoreAccessDenied:** Your account is not authorized to make this call

---

### **Account Setup & Environment**
* **Account Type:** AWS Organization Management Account
* **Account ID:** `737273614850`
* **Region:** `us-east-1`
* **Access Level:** Root account access/Administrator

### **Current Configuration (Verified)**
I have confirmed the following settings are active and healthy:

* **AWS Organizations:** Active with All Features enabled.
    * `aws organizations describe-organization` returns `FeatureSet: "ALL"`, `Status: Active`.
* **IAM Identity Center:** Organization instance (not account-specific).
    * `aws sso-admin describe-instance` returns `Instance type: Organization instance`, `Status: ACTIVE`.
* **Identity-Enhanced Console Sessions:** Enabled in Identity Center settings.
* **Service Access:** Required services are enabled for the organization.
    * `sso.amazonaws.com` and `user-subscriptions.amazonaws.com` are both present in `list-aws-service-access-for-organization`.
* **Profile:** The Amazon Q profile has been created and recreated in `us-east-1`.

---

### **Troubleshooting Steps Attempted**

#### **1. Service Principal Enablement**
I attempted to manually enable service access, but the following commands fail with `UNRECOGNIZED_SERVICE_PRINCIPAL`:
* `aws organizations enable-aws-service-access --service-principal codewhisperer.amazonaws.com`
* `aws organizations enable-aws-service-access --service-principal amazonq.amazonaws.com`
* `aws organizations enable-aws-service-access --service-principal q.amazonaws.com`

#### **2. Console Behavior**
* **Amazon Q Developer console:** Profile creation succeeds, but "Subscribe" fails.
* **Main Amazon Q console:** `console.aws.amazon.com/q/` returns "Page not found."
* **CodeWhisperer console:** Accessible, but yields the same subscription error.

#### **3. CLI Environment**
* **AWS CLI Version:** `2.34.30` (latest).
* **Note:** `aws q help` is currently not recognized as a command in this version.

#### **4. Profile Management**
* Deleted and recreated the profile multiple times.
* Attempted setup in different regions with identical results.

**Summary of Error:** The failure occurs specifically during the final step of clicking **"Subscribe"** for a user. While the infrastructure (Organizations/SSO) appears correct, the "Not Authorized" error persists despite using root-level permissions.

Has anyone encountered this specific authorization roadblock during the Q Developer Pro rollout? Any insights would be greatly appreciated!

Florian Turnwald · Accepted Answer

The issue is likely not your permissions, but a conflict with the Root user and the Service Principal name. As far as I understand, you need to Update your CLI, enable the `member.org.q.amazonaws.com` principal, and perform the action via an IAM Admin user instead of Root.

**1. Avoid the Root Account**

Even with AdministratorAccess, using the Root user often fails for Identity Center-linked subscriptions due to security constraints.
- Solution: Log in as a dedicated IAM User or Role with AdministratorAccess and try the subscription again.

**2. Correct Service Principal**

The principals you tried are deprecated for Organization-wide subscriptions. Use the following command in your Management Account:

```
aws organizations enable-aws-service-access --service-principal member.org.q.amazonaws.com
```
**3. CLI & Region Alignment**
- **CLI Version:** Your version is missing the aws q command. Update to the latest AWS CLI to ensure the user-subscriptions APIs are correctly mapped.
- **Region Lock:** Ensure your Amazon Q Profile is in the exact same region as your IAM Identity Center instance (usually us-east-1). If they are mismatched, the subscription call will be rejected with an authorization error.

Riku_Kobayashi · Answer

Hello.

Based on the error message, it seems that the issue is not with IAM, but rather that your AWS account may be restricted from using Amazon Q Developer.  
I'm not an Amazon Q Developer, but I've seen similar errors in the past, and in those cases, AWS had restricted its use.  
In this case, since it cannot be resolved by the user, I believe you will need to contact AWS support and open a case under "Account and billing".  
Inquiries regarding "Account and billing" are free of charge.  
https://console.aws.amazon.com/support

Amazon Q Developer Kiro subscription failing with CScoreAccessDenied - "Your account is not authorized to make this call"

Account Setup & Environment

Current Configuration (Verified)

Troubleshooting Steps Attempted

1. Service Principal Enablement

2. Console Behavior

3. CLI Environment

4. Profile Management

답변 추가

관련 콘텐츠