Kiro subscription assignment fails on Organizations management account and routes to standalone CreateAssignment path

[imtaxu]

Before opening, please confirm:

• I have searched for duplicate or closed issues

Operating System

MacOS Tahoe 26.3.1

Kiro Version

0.11.107

Bug Description

I cannot assign a paid Kiro subscription to a user or group from AWS IAM Identity Center.

The subscription flow fails from the Kiro console with:
“Failed to create Kiro subscription for 1 user”

What seems unusual is that this AWS account is not a plain standalone account. It is currently the management account of an AWS Organization. However, the failing backend call appears to use a standalone Amazon Q Developer subscription path.

This does not look like a basic IAM Identity Center setup issue, because user/group discovery works correctly in the Kiro console and the required service-linked roles already exist.

Steps to Reproduce

1. Open the Kiro console in AWS.
2. Go to Users & Groups.
3. Click Add user or Add group.
4. Select a paid Kiro plan.
5. Select an IAM Identity Center user or group.
6. Click Assign.
7. Observe that the subscription creation fails with:
   “Failed to create Kiro subscription for 1 user”

Additional verification:

• The same failure happens for both USER and GROUP assignment.
• The same failure happens with different paid Kiro plans.
• IAM Identity Center is configured in us-east-1.
• The user and group are discoverable from the Kiro console.
• The service-linked roles AWSServiceRoleForAmazonQDeveloper and AWSServiceRoleForUserSubscriptions already exist.
• aws organizations describe-organization confirms this account is the management account of an AWS Organization.

Expected Behavior

Kiro should successfully assign the selected paid subscription to the chosen IAM Identity Center user or group.

If the account is not eligible for some reason, the console should return a clear and specific error explaining the exact requirement that is not being met.

Conversation ID

N/A

This issue did not originate from a Kiro IDE conversation. It occurs in the AWS/Kiro subscription assignment flow from the console.

Additional Context

CloudTrail shows the failed backend call as:

• eventSource: q.amazonaws.com
• eventName: CreateAssignment
• errorCode: AccessDenied
• errorMessage: Account does not meet requirements for this operation

Example request parameters include:

• principalType: USER or GROUP
• subscriptionType: Q_DEVELOPER_STANDALONE_POWER

I do not see a corresponding CreateClaim event.

This is why the issue looks suspicious: the AWS account is in an Organizations management-account context, but the failing backend request appears to use a standalone subscription type.

I also noticed that the IAM Identity Center Kiro application link redirects to the AWS Q Developer page.

This may be related to:

• Cannot create Kiro subscription for SSO user; existing Active subscriptions appear orphaned after Identity Center reset (billing concern) #5888
• Failed to create Kiro subscription for 1 user via AWS IAM Identity Center #6443

Please check whether paid Kiro subscription assignment for this account is being routed through the wrong backend path, or whether the account state is inconsistent on the backend.

I can provide redacted screenshots and CloudTrail details if needed.

[github-actions]

🤖 Potential Duplicate Detected

This issue appears to be similar to:

• #5810: Streamline re-authentication flow when login tokens expire for Enterprise IAM Identity Center customers. (85% similar)

What happens next?

• ⏰ This issue will be automatically closed in 3 days
• 🏷️ If this is not a duplicate, you can prevent automatic closure by adding a comment or reacting with 👎 to this message.
• 💬 Comment on the original issue if you have additional information

Why is this marked as duplicate?
Both issues involve IAM Identity Center authentication/subscription problems for Enterprise customers, with the new issue specifically mentioning subscription assignment failures and 5810 discussing authentication flow issues for Enterprise IAM Identity Center customers

[imtaxu]

This does not appear to be a duplicate of #5810.

#5810 is about re-authentication/login token expiry flow for Enterprise IAM Identity Center customers.

My issue is different:

• paid Kiro subscription assignment fails from Kiro > Users & Groups
• CloudTrail shows q.amazonaws.com -> CreateAssignment
• errorCode: AccessDenied
• errorMessage: "Account does not meet requirements for this operation"
• no corresponding CreateClaim event is created
• the AWS account is an Organizations management account, but the failing request appears to use a standalone subscription path

So this is not a token re-authentication issue. It appears to be a subscription assignment / backend routing / account-state issue.

I referenced #5888 and #6443 because they are much closer symptomatically than #5810.

Please keep this issue open for triage.

[github-actions]

Thank you for your feedback! 🙏

The duplicate label has been removed and this issue has been sent back for maintainer review.

A maintainer will review this issue shortly.

[PedroRibeiroAbaco]

I have the same issue. I opened #7068 with detailed CloudTrail evidence
across two independent AWS accounts confirming the bug.

Key findings:

• eventSource: q.amazonaws.com
• eventName: CreateAssignment
• errorCode: AccessDenied
• errorMessage: "Account does not meet requirements for this operation"
• subscriptionType: Q_DEVELOPER_STANDALONE_PRO

Confirmed on:

• Account 1: existing Management Account with Organizations
• Account 2: brand new AWS account with Organizations (no history)

Both accounts have Organization Instance of IAM Identity Center in
us-east-1, both service-linked roles exist, valid payment method.

This is clearly a service-level bug where Kiro routes Organizations
Management Accounts through the wrong standalone subscription path.

AWS Support also confirmed this is a backend issue requiring a fix
in the subscription creation logic.

[imtaxu]

I can confirm #7068 a very similar issue on my side.

In my case, the AWS account is an AWS Organizations management account, not a plain standalone account.

CloudTrail shows the same failing backend pattern:

• eventSource: q.amazonaws.com
• eventName: CreateAssignment
• errorCode: AccessDenied
• errorMessage: "Account does not meet requirements for this operation"

The request also appears to go through a standalone Q Developer subscription path, which looks suspicious for an Organizations management account.

I also do not see a corresponding CreateClaim event.

Another related detail: the IAM Identity Center Kiro application link redirects to the AWS Q Developer page.

This does not look like a simple IAM Identity Center misconfiguration on the customer side.