VSCode CodeWhisperer: Failed to connect to IAM Identity Center
I've valid AWS IAM Identity Center credentials. I use AWS SSO on command line as well as VSCode extension. VScode shows I'm successfully connected to the profile. However, when I try to connect CodeWhisperer with VSCode, it fails with
2023-06-20 18:08:52 [ERROR]: aws.codeWhisperer.sso: Error: Failed to connect to IAM Identity Center [FailedToConnect]
-> InvalidGrantException: UnknownError
2023-06-20 18:09:02 [INFO]: telemetry: sent batch (size=13)
2023-06-20 18:14:02 [INFO]: telemetry: sent batch (size=2)
Happy to share the log file if it is safe to do so
- Newest
- Most votes
- Most comments
Without seeing the logs, the exact information is unclear, but it often occurs when the start URL and the region where the SSO is located are incorrectly configured.
https://github.com/aws/aws-toolkit-vscode/issues/3064
As you are aware, this error occurs when the ‘CreateToken’ API call [1] for IAM Identity Center uses an invalid grant type during a request. From a CodeWhisperer perspective, there are a couple of actions you can take here to ensure the IDE connects to the service as required.
Firstly, please ensure that CodeWhisperer is set up from the management console as per the documentation [2]. Once CodeWhisperer is setup in the management console, you can add the user under ’Settings’. The user will need to created in IAM Identity Center as a prerequisite before you they are added to CodeWhisperer. You can find a blog discussing similar steps here [3]. If CodeWhisperer and the user are configured already, I would recommend logging out IAM Identity Center from the IDE and create a new connection.
For example, in Visual Studio Code with the AWS Toolkit installed, you can choose the 3 dots next to ’Select a connection’ under ‘Developer Tools’ and pick the ‘Sign out’ option. Following this, you can select the 3 dots again and chose ‘Add New Connection’. Choosing ’Connect using AWS IAM Identity Center’, you can enter the start URL from the CodeWhisper settings ‘Details’ section or directly from Identity Center itself which will be similar to ‘https://d-12345678.awsapps.com/start '. As a note, I have experienced an InvalidGrantException when choosing a region that the Identity Center is not configured in. I would suggest choosing the Identity Center region to start which can be changed later.
[1] InvalidGrantException - https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html#API_CreateToken_Errors
[2] Add CodeWhisperer to Identity Center - https://docs.aws.amazon.com/codewhisperer/latest/userguide/as-whisper-admin.html#codewhisperer-setup-enterprise-admin-authorize
[3] CodeWhisper Setup Blog - https://aws.amazon.com/blogs/machine-learning/enterprise-administrative-controls-simple-sign-up-and-expanded-programming-language-support-for-amazon-codewhisperer/
Relevant content
- asked 4 months ago
- asked a year ago
- asked a year ago
AWS OFFICIALUpdated 8 months ago- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
Thanks for the quick response. I don't think that's the case. I have sso located in eu-west-2 and I confirmed I'm trying to login to VS Code via the same region. It still gives me this issue. Here's the log: https://gist.github.com/c-gc/aab72012ccaf6a01858d228dff55817d
Let me know if this contains information that should be redacted/removed. IMO it's safe to share but can't be sure.