Connect your IAM Identity Center

Prerequisites

You must have an instance of IAM Identity Center (IdC) set up in your AWS account, with the identities of the users you want to subscribe to Kiro.
Your IAM Identity Center instance must be in a supported AWS Region.
Administrator permission in both AWS and the IdP (if you have connected IdC to an external provider).

How to connect IAM Identity Center

Enable AWS IAM Identity Center in your AWS account. Add users to its directory, or connect it to an external identity provider (IdP). If this is your first time setting up an IAM Identity Center instance, see Getting started with IAM Identity Center.

KMS encryption

If your IAM Identity Center instance uses a customer managed KMS key for encryption, you must add the following statements to your key policy to allow Kiro to access Identity Center data.

Allow Kiro to decrypt data via IAM Identity Center:

json

{
    "Sid": "Allow Kiro to use key via IDC",
    "Effect": "Allow",
    "Principal": { "Service": "q.amazonaws.com" },
    "Action": "kms:Decrypt",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "kms:EncryptionContext:aws:sso:instance-arn": "arn:aws:sso:::instance/<your-idc-instance-id>",
            "kms:ViaService": "sso.<your-region>.amazonaws.com"
        }
    }
}

Allow Kiro to decrypt data via Identity Store:

json

{
    "Sid": "Allow Kiro to use key via IdentityStore",
    "Effect": "Allow",
    "Principal": { "Service": "q.amazonaws.com" },
    "Action": "kms:Decrypt",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "kms:EncryptionContext:aws:identitystore:identitystore-arn": "arn:aws:identitystore::<your-account-id>:identitystore/<your-identity-store-id>",
            "kms:ViaService": "identitystore.<your-region>.amazonaws.com"
        }
    }
}

Replace the placeholder values with your AWS account ID, IAM Identity Center instance ID, Identity Store ID, and region. These policies can be relaxed by using StringLike with wildcards (*) instead of StringEquals. For more details, see Advanced KMS key policy statements in the IAM Identity Center User Guide.

Page updated: May 30, 2026

Connecting your identity provider

Okta

Prerequisites

You must have an instance of IAM Identity Center (IdC) set up in your AWS account, with the identities of the users you want to subscribe to Kiro.
Your IAM Identity Center instance must be in a supported AWS Region.
Administrator permission in both AWS and the IdP (if you have connected IdC to an external provider).

How to connect IAM Identity Center

KMS encryption

If your IAM Identity Center instance uses a customer managed KMS key for encryption, you must add the following statements to your key policy to allow Kiro to access Identity Center data.

Allow Kiro to decrypt data via IAM Identity Center:

json

{
    "Sid": "Allow Kiro to use key via IDC",
    "Effect": "Allow",
    "Principal": { "Service": "q.amazonaws.com" },
    "Action": "kms:Decrypt",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "kms:EncryptionContext:aws:sso:instance-arn": "arn:aws:sso:::instance/<your-idc-instance-id>",
            "kms:ViaService": "sso.<your-region>.amazonaws.com"
        }
    }
}

Allow Kiro to decrypt data via Identity Store:

json

{
    "Sid": "Allow Kiro to use key via IdentityStore",
    "Effect": "Allow",
    "Principal": { "Service": "q.amazonaws.com" },
    "Action": "kms:Decrypt",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "kms:EncryptionContext:aws:identitystore:identitystore-arn": "arn:aws:identitystore::<your-account-id>:identitystore/<your-identity-store-id>",
            "kms:ViaService": "identitystore.<your-region>.amazonaws.com"
        }
    }
}

Page updated: May 30, 2026

Connecting your identity provider

Okta