How to Set Up Kiro with IAM Identity Center (And Why Your Credits Depend On It)
If you are an AWS Hero or Community Builder, you have AWS credits. Kiro can run on those credits. But only if you authenticate the right way, and the right way is not the obvious one.
Here is what nobody explains upfront: logging into Kiro with AWS Builder ID, GitHub, or Google does not apply your credits. The credits only work when you are subscribed and authenticated through AWS IAM Identity Center. If you have been using Kiro on a personal login and wondering why your credit balance is not moving, this is why. The same is true for the Kiro startup credits program — IAM Identity Center is a hard requirement there too.
Setting this up feels like enterprise overhead for what might just be you and a side project. It is a bit. But it is a one-time configuration and the process is straightforward once you understand the order of operations.
The region constraint you need to know first
Before touching anything, check which region you plan to use for Kiro. The Kiro console only operates in two AWS regions: us-east-1 (N. Virginia) and eu-central-1 (Frankfurt). Your IAM Identity Center can be in any region — that part is flexible. The constraint is on the Kiro side only.
Pick whichever supported Kiro region makes sense for your workload and keep that consistent when setting up the Kiro profile in the next steps.
Step one: enable IAM Identity Center
Open the AWS Management Console and search for IAM Identity Center. Enable it. If you are working within an AWS Organization (which many in the community do for account hygiene), enable it at the management account level. A standalone account works fine too.
Once enabled, navigate to Settings and find your Identity Center URL. It looks like https://[your-id].awsapps.com/start. Write this down or keep the tab open — users need it to sign into Kiro, and it is not immediately obvious where to find it later.
Step two: create your user and group
Go to Users within IAM Identity Center and add yourself. Enter your email, first name, and last name. An invitation email will arrive. Click the link, set a password, and configure MFA before continuing. The rest of the process depends on having an active, MFA-enrolled user.
Creating a group is optional if you are working alone, but worth doing anyway. It gives you cleaner subscription management later, and if you bring in colleagues or move between tiers, you adjust the group assignment rather than individual users. Name it something you will recognize in six months: kiro-users or your company name works fine. Add yourself to it.
Step three: set up Kiro in the AWS console
Search for Kiro in the AWS Management Console. Make sure you are in the right region. You will see a “Sign up for Kiro” button — click it, review the dialog, and select Enable. This creates your Kiro profile and connects it to the IAM Identity Center instance in the same region.
Next, go to Users & Groups in the Kiro console. Select the Groups tab and click Add group. Find the group you created. You will be prompted to select a subscription tier: Pro, Pro+, or Power. Pick the one your credits cover. If you are unsure which tier your Hero or Community Builder credits apply to, check the credit terms before committing — the tier selection matters for billing.
Click Assign. The subscription is live.
Step four: sign into Kiro IDE
Open Kiro on your machine. On the login screen, select “Sign in with your organization” — not the social login options, not Builder ID. Paste your Identity Center URL into the field.
Kiro opens a browser window to your Identity Center login page. Sign in with the credentials you set up, complete MFA, and you are redirected back into the IDE as an authenticated user on your team subscription.
If the browser redirects correctly but Kiro does not pick up the session, the most common cause is a malformed URL. Make sure you are pasting the full URL with the https:// prefix intact. A truncated URL is easy to miss and produces a confusing error.
What you actually get beyond credits
The credits are the practical reason to go through this setup, but there is a secondary benefit worth knowing about. When you authenticate via IAM Identity Center, your code and prompts are not used to train the underlying model. This is parity with Amazon Q Developer Pro. For anyone using Kiro on client work or anything proprietary, that protection matters independently of the credits question.
You also get subscription management through the AWS console rather than a separate billing portal, which keeps your tooling costs in one place alongside everything else you run on AWS.
The configuration takes maybe thirty minutes the first time. After that it runs invisibly — credits apply, the IDE authenticates, and you do not think about it again. If you hit trouble, the Kiro docs at kiro.dev/docs/enterprise cover the common error states, and most issues trace back to using the wrong Kiro console region (must be us-east-1 or eu-central-1) or a malformed Identity Center URL.
