Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Amazon Q Developer Kiro subscription failing with CScoreAccessDenied - "Your account is not authorized to make this call"

0

I am unable to subscribe users to kiro in my AWS Organization management account. When attempting to add users through the console. I have kiro startup credits.

I consistently encounter the following error:

CScoreAccessDenied: Your account is not authorized to make this call

Account Setup & Environment

  • Account Type: AWS Organization Management Account
  • Account ID: 737273614850
  • Region: us-east-1
  • Access Level: Root account access/Administrator

Current Configuration (Verified)

I have confirmed the following settings are active and healthy:

  • AWS Organizations: Active with All Features enabled.
    • aws organizations describe-organization returns FeatureSet: "ALL", Status: Active.
  • IAM Identity Center: Organization instance (not account-specific).
    • aws sso-admin describe-instance returns Instance type: Organization instance, Status: ACTIVE.
  • Identity-Enhanced Console Sessions: Enabled in Identity Center settings.
  • Service Access: Required services are enabled for the organization.
    • sso.amazonaws.com and user-subscriptions.amazonaws.com are both present in list-aws-service-access-for-organization.
  • Profile: The Amazon Q profile has been created and recreated in us-east-1.

Troubleshooting Steps Attempted

1. Service Principal Enablement

I attempted to manually enable service access, but the following commands fail with UNRECOGNIZED_SERVICE_PRINCIPAL:

  • aws organizations enable-aws-service-access --service-principal codewhisperer.amazonaws.com
  • aws organizations enable-aws-service-access --service-principal amazonq.amazonaws.com
  • aws organizations enable-aws-service-access --service-principal q.amazonaws.com

2. Console Behavior

  • Amazon Q Developer console: Profile creation succeeds, but "Subscribe" fails.
  • Main Amazon Q console: console.aws.amazon.com/q/ returns "Page not found."
  • CodeWhisperer console: Accessible, but yields the same subscription error.

3. CLI Environment

  • AWS CLI Version: 2.34.30 (latest).
  • Note: aws q help is currently not recognized as a command in this version.

4. Profile Management

  • Deleted and recreated the profile multiple times.
  • Attempted setup in different regions with identical results.

Summary of Error: The failure occurs specifically during the final step of clicking "Subscribe" for a user. While the infrastructure (Organizations/SSO) appears correct, the "Not Authorized" error persists despite using root-level permissions.

Has anyone encountered this specific authorization roadblock during the Q Developer Pro rollout? Any insights would be greatly appreciated!

  • BaselAA
    25 days ago

    Using an IAM account instead of root worked!

    Thank you

Topics
Business ApplicationsMachine Learning & AI
Tags
Amazon QAmazon Q Developer
Language
English
asked 25 days ago147 views
2 Answers
3
Accepted Answer

The issue is likely not your permissions, but a conflict with the Root user and the Service Principal name. As far as I understand, you need to Update your CLI, enable the member.org.q.amazonaws.com principal, and perform the action via an IAM Admin user instead of Root.

1. Avoid the Root Account

Even with AdministratorAccess, using the Root user often fails for Identity Center-linked subscriptions due to security constraints.

  • Solution: Log in as a dedicated IAM User or Role with AdministratorAccess and try the subscription again.

2. Correct Service Principal

The principals you tried are deprecated for Organization-wide subscriptions. Use the following command in your Management Account:

aws organizations enable-aws-service-access --service-principal member.org.q.amazonaws.com

3. CLI & Region Alignment

  • CLI Version: Your version is missing the aws q command. Update to the latest AWS CLI to ensure the user-subscriptions APIs are correctly mapped.
  • Region Lock: Ensure your Amazon Q Profile is in the exact same region as your IAM Identity Center instance (usually us-east-1). If they are mismatched, the subscription call will be rejected with an authorization error.
EXPERT
answered 25 days ago
EXPERT
reviewed 25 days ago
0

Hello.

Based on the error message, it seems that the issue is not with IAM, but rather that your AWS account may be restricted from using Amazon Q Developer.
I'm not an Amazon Q Developer, but I've seen similar errors in the past, and in those cases, AWS had restricted its use.
In this case, since it cannot be resolved by the user, I believe you will need to contact AWS support and open a case under "Account and billing".
Inquiries regarding "Account and billing" are free of charge.
https://console.aws.amazon.com/support

EXPERT
answered 25 days ago
EXPERT
reviewed 25 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content