# Getting started with IAM Identity Center Get started with IAM Identity Center *IAM Identity Center* is a service that is used by administrators to manage the identities of end users. In the context of Amazon Q Developer, administrators use IAM Identity Center to manage the identities of those whom they plan on subscribing to Amazon Q Developer Pro. Users who have identities in IAM Identity Center or in a directory or database that is connected to IAM Identity Center are called *IAM Identity Center workforce users* in this guide. You should get started with IAM Identity Center if: + **You're an administrator** who wants to set up multiple users with Amazon Q Developer at the Pro tier. By using IAM Identity Center, your users get the full suite of Amazon Q Developer features, plus you get enterprise controls over the Amazon Q Developer subscriptions you administer. For example, you can cancel users' subscriptions, subscribe users in bulk, and track Amazon Q usage on a dashboard. + **You're an individual user**, and you can't use a personal account (Builder ID) because of [its limitations](getting-started-builderid.md#builder-id-limitations). Use the following instructions to get started with IAM Identity Center. **Topics** + [ # Step 1: Choose a deployment option ](deployment-options.md) + [ # Step 2: Subscribe workforce users to Amazon Q Developer Pro ](subscribe-users.md) # Step 1: Choose a deployment option Before you can subscribe users, you'll need to decide which AWS account or accounts you'll be working in. You'll need to make three key decisions: + **Decision 1: Where to enable IAM Identity Center** – For more information about IAM Identity Center, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*. + **Decision 2: Where to create the Amazon Q Developer profile** – For more information about the profile, see [What is the Amazon Q Developer profile?](subscribe-understanding-profile.md). + **Decision 3: Where to subscribe workforce users** – For more information about subscriptions, see [Amazon Q Developer Pro subscriptions](q-admin-setup-subscribe-general.md). Your specific combination of these three decisions constitutes your *deployment option*. Deployment options are described in the following table. Pick an option before moving on to [Step 2: Subscribe workforce users to Amazon Q Developer Pro](subscribe-users.md). The table uses the following terms: + *Standalone account* — An AWS account that is *not* part of an organization managed by [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). + *Management account* — An AWS account that is part of an organization managed by [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). It is the ultimate owner of the organization, and is responsible for paying all charges accrued by the accounts in its organization. + *Member account* — An AWS account, other than the management account, that is part of an organization managed by [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). | Deployment option | Description | Advantages | Disadvantages | | --- | --- | --- | --- | | **Deployment option 1 (easiest)**: Deploy in a standalone account | Use this option if you're an end user and you want to subscribe yourself (and optionally, a small team of users) to quickly evaluate the features of Amazon Q. With this deployment option, in your **standalone** account, you: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/deployment-options.html) | **Good for demos**. You can try out Pro tier features for yourself without having to do an enterprise-wide implementation. **More features than personal accounts (Builder IDs)**. For more information, see [Limitations of Builder IDs](getting-started-builderid.md#builder-id-limitations). | **Fewer features** Because IAM Identity Center is enabled in a standalone account, it is considered to be an *account instance*, which has fewer features than organization instances1. | | **Deployment option 2**: Deploy in management and member accounts | Use this option if you're an administrator of multiple users. With this deployment option: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/deployment-options.html) | **More features**. Because IAM Identity Center is installed in a management account, it is considered to be an *organization instance*, which has more features than account instances2. **Distributed management**. Subscription management tasks are distributed across member accounts, which is a best practice. | **Complexity**. Requires coordination across accounts by multiple administrators. **Account restrictions**. You can subscribe users in a maximum of 20 accounts per AWS Region, per organization managed by [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). If your user base is spread across more than 20 accounts in the same Region under one organization, choose another option. | | **Deployment option 3**: Deploy in a member account only | Use this option if you're an adminstrator of multiple users. With this deployment option, in a **member** account, you: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/deployment-options.html) | **Quick setup**. Individual member account administrators can deploy without waiting or needing approval for an enterprise-wide implementation. **Flexibility for complex organizations**. Use this option when you don't have a unified identity provider or identity store containing the entire user base that you want to subscribe to the Pro tier. | **Fewer features**. Because IAM Identity Center is enabled in a member account, it is considered to be an *account instance*, which has fewer features than organization instances1. | | **Deployment option 4**: Deploy in a management account only | Use this option if you're an adminstrator of multiple users. With this deployment option, in the **management** account, you: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/deployment-options.html) For detailed instructions, see [Subscribe users to Amazon Q Developer Pro in a management account](subscribe-management.md). | **More features**. Because IAM Identity Center is installed in a management account, it is considered to be an *organization instance*, which has more features than account instances2. | **Does not comply with best practices**. Because users are subscribed in the management account, and because of a limitation in Amazon Q Developer where [delegated administration](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html) is not supported, management account administrators must handle subscription management tasks. You cannot follow the [recommended practice](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html#delegated-admin-best-practices) of delegating tasks to member accounts. | 1 Account instances support fewer features than organization instances. For example, account instances don't support permission sets, which means that users cannot use their Pro tier subscriptions [in the AWS Management Console, and on AWS apps and websites](q-on-aws.md). For a list of the limitations of account instances, see [Account instance considerations](https://docs.aws.amazon.com/singlesignon/latest/userguide/account-instances-identity-center.html#about-account-instance) in the *AWS IAM Identity Center User Guide*. 2 Organization instances offer a broader range of features compared to account instances, encompassing all IAM Identity Center capabilities. For a list of features supported by organization instances, see [When to use an organization instance](https://docs.aws.amazon.com/singlesignon/latest/userguide/organization-instances-identity-center.html#when-to-use-organization-instance) in the *AWS IAM Identity Center User Guide*. # Step 2: Subscribe workforce users to Amazon Q Developer Pro Step 2: Subscribe users After choosing a deployment option as described in [Step 1: Choose a deployment option](deployment-options.md), you are ready to subscribe workforce users. Subscribing workforce users involves three main steps: Enabling IAM Identity Center, creating the Amazon Q Developer profile, and subscribing users. Instructions on how to complete all steps are included in each of the following sections. You might need to read multiple sections if you're planning on performing steps in multiple accounts. + [Subscribe users to Amazon Q Developer Pro in a standalone account](subscribe-standalone.md) + [Subscribe users to Amazon Q Developer Pro in a management account](subscribe-management.md) + [Subscribe users to Amazon Q Developer Pro in a member account](subscribe-member.md) # Subscribe users to Amazon Q Developer Pro in a standalone account In a standalone account A *standalone* account is one that is *not* part of an organization managed by [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). If you are the owner of a standalone AWS account, use the following instructions to subscribe yourself (and a few others) to Amazon Q Developer Pro to evaluate the service’s features and functionality. After completing the steps on this page, read [What resources were created?](#subscribe-standalone-resources) at the end to understand which resources were installed and configured on your behalf when you subscribed. This will help you cleanly remove everything when you're finished testing. ## Prerequisites Before you begin, make sure that: + You have a **standalone** AWS account. + You have the minimum permissions required to subscribe users and manage Amazon Q Developer settings. For more information, see [Allow administrators to use the Amazon Q console](id-based-policy-examples-admins.md#q-admin-setup-admin-users-sub), and [Allow administrators to use the Amazon Q Developer console](id-based-policy-examples-admins.md#q-admin-setup-admin-users). + (Optional) You have an account instance of IAM Identity Center set up in your standalone account. This IAM Identity Center contains the identities of the users you want to subscribe to Amazon Q Developer Pro, and must be deployed in a supported AWS Region, as described in [IAM Identity Center Regions supported by Amazon Q Developer](q-admin-setup-subscribe-regions.md#pro-subscription-regions). If you don't have an IAM Identity Center instance installed, that's ok. One will be installed when you subscribe the first user (yourself). The IAM Identity Center instance will be installed in the AWS Region where you subscribed the first user. For more information about IAM Identity Center, see [Organization and account instances of IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-instances.html) in the *AWS IAM Identity Center User Guide*. **Note** The instructions on this page assume you have not already installed an IAM Identity Center instance in your standalone account. ## Step 1: Create the Amazon Q Developer Pro profile and subscribe yourself 1. Sign in to the AWS Management Console using your standalone AWS account. Sign in as the root user, or as an IAM user with the permissions described in [Prerequisites](#subscribe-standalone-prereqs). 1. Switch to the **Amazon Q Developer** console. 1. Make sure you're in the AWS Region where you want to create the [Amazon Q Developer profile](subscribe-understanding-profile.md) and where you want to store user data. For supported Regions, see [Supported Regions for the Q Developer console and Q Developer profile](q-admin-setup-subscribe-regions.md#qdev-console-and-profile-regions). 1. Choose the **Get started** button. **Note** If you see a **Settings** button instead of **Get started** button, it means that you've already run through the 'Get started' workflow and can skip to [Step 2: Subscribe team members](#subscribe-standalone-sub-team). A **Create your user** dialog box appears. 1. Enter your information. The email address can be the same or different from the one you used to sign up for your AWS account. Choose **Continue**. The **Create Amazon Q Developer profile** dialog box appears. 1. Review the contents of the dialog box and provide a name for your profile in **Profile name**. For help with cross-region inferencing, see [Cross-region processing in Amazon Q Developer](cross-region-processing.md). For help with disabling dashboard metrics, see [Disabling the Amazon Q Developer dashboard](dashboard-disabling.md). Choose **Create application**. The Amazon Q Developer profile and managed application are created, and your subscription is created. 1. (Optional) Verify that your subscription was created: 1. In the Amazon Q Developer console, in the navigation pane, choose **Subscriptions**. 1. In the main pane, choose the **Users** tab. Your subscription should appear in the list in the **Pending** state. If not, refresh your browser tab. **Note** Your subscription will change to the **Active** state after your first use of Amazon Q Developer features. Now that you are subscribed, you must activate your subscription. You can do this now, or after you've subscribed team members, as described in the next section. To activate your subscription, check your inbox for emails titled **Invitation to join AWS IAM Identity Center** and **Activate Your Amazon Q Developer Pro Subscription**. Follow the instructions in these emails to activate your Amazon Q Developer Pro subscription and set up Amazon Q Developer Pro in your IDE. You should receive these emails within 24 hours. ## Step 2: Subscribe team members You might want to subscribe other team members so that they can try out Amazon Q Developer Pro with you. To subscribe them, use the following instructions. **To add team members** 1. Switch to the IAM Identity Center console (not the IAM console). **Note** IAM Identity Center was set up on your behalf when you subscribed yourself. For more information about the IAM Identity Center that was set up, see [What resources were created?](#subscribe-standalone-resources). 1. Add users and groups. For instructions, see [Add users to your IAM Identity Center directory](https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html) in the *AWS IAM Identity Center User Guide*. ![\[The IAM Identity Center page showing two users.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/subscribe/Sub-8.png) 1. Go to the next procedure to subscribe team members. **To subscribe team members** 1. Return to the Amazon Q Developer console. 1. In the navigation pane, choose **Subscriptions**, and then choose **Subscribe**. The **Assign users and groups** dialog box appears. 1. Start typing the name of a team member or group that you added. The name should auto-populate. **Note** The dialog box only matches on user names or group names. It does not match on email addresses. 1. Choose **Assign**. 1. Have users check their email. They should receive an email titled **Activate Your Amazon Q Developer Pro Subscription** within 24 hours. In this email, users will find guidance on how to begin using their Amazon Q Developer Pro license in the AWS Management Console and their Integrated Development Environment (IDE). The email includes users' unique Start URL and AWS Region for authentication, and provides quickstart steps for using Amazon Q Developer in their IDE. This email streamlines the onboarding process and saves you valuable time by eliminating the need for you to manually notify each new user. ## What resources were created? When you subscribed yourself (and optionally, team members), Amazon Q created the following AWS resources on your behalf: + **An account instance of IAM Identity Center**. For more information about account instances of IAM Identity Center, see [Account instances of IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/account-instances-identity-center.html) in the *AWS IAM Identity Center User Guide*. **Note** Account instances of IAM Identity Center have [limitations](https://docs.aws.amazon.com/singlesignon/latest/userguide/account-instances-identity-center.html#about-account-instance). For example, account instances don't support console access. (Users can still use Amazon Q in the console, it's just that they'll be subject to the Free tier monthly limits.) If you want to use Amazon Q Developer Pro in the console and other AWS websites, you must be a user in an *organization instance* of IAM Identity Center, in a management account. For more information, see [Subscribe users to Amazon Q Developer Pro in a management account](subscribe-management.md). **Note** You can't convert or merge an account instance of IAM Identity Center into an organization instance. + **The first user**, in IAM Identity Center. You might have manually added team members too. + **Pro tier subscriptions** for the first user and team members, in Amazon Q Developer. + **An Amazon Q Developer profile**, in the Amazon Q Developer console, under **Settings**. + **A managed application** called **QDevProfile-*region***, in the IAM Identity Center that is set up in your standalone account. The application is associated with the Amazon Q Developer profile. Like the Amazon Q Developer profile, the application is created once and shared between all Amazon Q subscribers in your standalone account. # Subscribe users to Amazon Q Developer Pro in a management account In a management account A *management account* is an AWS account that is part of an organization managed by [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). It is the ultimate owner of the organization, and is responsible for paying all charges accrued by the accounts in its organization. If you are the owner of a management account, use the following instructions to subscribe users to Amazon Q Developer Pro in your account. **Note** If possible, subscribe users in member accounts instead of your management account. For more information, see [Step 1: Choose a deployment option](deployment-options.md). For more information about organizations and management accounts, see [Terminology and concepts for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) in the *AWS Organizations User Guide*. ## Prerequisites Before you begin, make sure that: + You have a **management** AWS account. + You have the minimum permissions required to subscribe users and manage Amazon Q Developer settings. For more information, see [Allow administrators to use the Amazon Q console](id-based-policy-examples-admins.md#q-admin-setup-admin-users-sub), and [Allow administrators to use the Amazon Q Developer console](id-based-policy-examples-admins.md#q-admin-setup-admin-users). + You have an organization instance of IAM Identity Center set up in your management account. This IAM Identity Center contains the identities of the users you want to subscribe to Amazon Q Developer Pro, and must be deployed in a supported AWS Region, as described in [IAM Identity Center Regions supported by Amazon Q Developer](q-admin-setup-subscribe-regions.md#pro-subscription-regions). For more information about IAM Identity Center, see [Organization instances of IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/organization-instances-identity-center.html) in the *AWS IAM Identity Center User Guide*. ## Step 1: Create the Amazon Q Developer profile 1. Sign in to the AWS Management Console using your AWS management account. 1. Switch to the **Amazon Q Developer** console. 1. Make sure you're in the AWS Region where you want to create the [Amazon Q Developer profile](subscribe-understanding-profile.md) and where you want to store user data. For supported Regions, see [Supported Regions for the Q Developer console and Q Developer profile](q-admin-setup-subscribe-regions.md#qdev-console-and-profile-regions). 1. Choose **Get started**. The **Create Amazon Q Developer profile** dialog box appears. 1. Review the contents of the dialog box and provide a name for your profile in **Profile name**. For help with: + Cross-region inferencing, see [Cross-region processing in Amazon Q Developer](cross-region-processing.md). + The **Share Amazon Q Developer settings with member account** check box, see [Enabling profile sharing in Amazon Q Developer](q-admin-profile-sharing.md) and [Step 1: Choose a deployment option](deployment-options.md). + Disabling dashboard metrics, see [Disabling the Amazon Q Developer dashboard](dashboard-disabling.md). Choose **Create application**. The Amazon Q Developer profile and managed application are created. ## Step 2: Subscribe users 1. In the Amazon Q Developer console, from the navigation pane, choose **Subscriptions**. 1. Choose **Subscribe**. The **Assign users and groups** dialog box appears. 1. Start typing the group or user you want to subscribe. The group or user will auto-populate with the ones available in the IAM Identity Center set up in your management account. **Note** The dialog box only matches on user names or group names. It does not match on email addresses. 1. Choose **Assign**. 1. Have users check their email. They should receive an email titled **Activate Your Amazon Q Developer Pro Subscription** within 24 hours with instructions on how to begin using their Amazon Q Developer Pro license. ## Step 3: Enable identity-enhanced console sessions If you want to allow users to use their Amazon Q Developer Pro subscription [in the AWS Management Console, and on AWS apps and websites](q-on-aws.md), enable identity-enhanced console sessions. For more information, see [Enabling identity-enhanced console sessions](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-aware-sessions.html) in the *AWS IAM Identity Center User Guide*. **Note** If you don't enable identity-enhanced console sessions, users can still use Amazon Q in the AWS Management Console, and on AWS apps and websites, but they'll be limited to the Free tier. ## What resources were created? When you created the Amazon Q Developer profile and subscribed users in your management account, Amazon Q created the following resources on your behalf: + **Pro tier subscriptions** for users, in Amazon Q Developer. + **An Amazon Q Developer profile**, in the Amazon Q Developer console, under **Settings**. + **A managed application** called **QDevProfile-*region***, in the IAM Identity Center that is set up in your management account. The application is associated with the Amazon Q Developer profile. Like the Amazon Q Developer profile, the application is created once and shared between all Amazon Q subscribers in your management account. **Note** Amazon Q can create the **QDevProfile-*region*** managed application in a maximum of 20 AWS accounts per AWS Region within an organization. # Subscribe users to Amazon Q Developer Pro in a member account In a member account A *member account* is an AWS account, other than the management account, that is part of an organization managed by [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). If you are the owner of a member account, use the following instructions to subscribe users to Amazon Q Developer Pro in your account. Not sure whether to subscribe users in a member or management account? See [Step 1: Choose a deployment option](deployment-options.md) for help. For more information about organizations, member accounts, and management accounts, see [Terminology and concepts for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) in the *AWS Organizations User Guide*. ## Prerequisites Before you begin, make sure that: + You have a **member** AWS account. + You have the minimum permissions required to subscribe users and manage Amazon Q Developer settings. For more information, see [Allow administrators to use the Amazon Q console](id-based-policy-examples-admins.md#q-admin-setup-admin-users-sub), and [Allow administrators to use the Amazon Q Developer console](id-based-policy-examples-admins.md#q-admin-setup-admin-users). + (Optional) You have an organization instance of IAM Identity Center set up in the *management account* or an account instance of IAM Identity Center set up in your *member account*. This IAM Identity Center intance contains the identities of the users you want to subscribe to Amazon Q Developer Pro, and must be deployed in a supported AWS Region, as described in [IAM Identity Center Regions supported by Amazon Q Developer](q-admin-setup-subscribe-regions.md#pro-subscription-regions). If you don't have an IAM Identity Center instance installed, that's ok. One will be installed in your member account when you subscribe the first user. The IAM Identity Center instance will be installed in the AWS Regionn where you subscribed the first user. For more information about IAM Identity Center, see [Organization and account instances of IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-instances.html) in the *AWS IAM Identity Center User Guide*. ## Step 1: Create the Amazon Q Developer Pro profile and subscribe the first user 1. Sign in to the AWS Management Console using your member AWS account. 1. Switch to the **Amazon Q Developer** console. 1. Make sure you're in the AWS Region where you want to create the [Amazon Q Developer profile](subscribe-understanding-profile.md) and where you want to store user data. For supported Regions, see [Supported Regions for the Q Developer console and Q Developer profile](q-admin-setup-subscribe-regions.md#qdev-console-and-profile-regions). 1. Choose the **Get started** button. **Note** If you see a **Settings** button instead of **Get started** button, it means that you've already run through the 'Get started' workflow and can skip to [Step 2: Subscribe other users](#subscribe-member-new-other). 1. Follow the on-screen prompts to subscribe your first user. + If the first user's email address matches one in an existing IAM Identity Center in either your member account or a management account, then Amazon Q connects to that IAM Identity Center. + If the first user's email address doesn't match one in an existing IAM Identity Center, then Amazon Q creates an IAM Identity Center account instance in your member account, and adds the first user to it. Note that: + Amazon Q only creates an IAM Identity Center account instance if there is no IAM Identity Center already in your member account. + If there is an IAM Identity Center account instance in your member account, but the user is not in it, then Amazon Q creates the user in the existing IAM Identity Center. The **Create Amazon Q Developer profile** dialog box appears. 1. Review the contents of the dialog box and provide a name for your profile in **Profile name**. For help with cross-region inferencing, see [Cross-region processing in Amazon Q Developer](cross-region-processing.md). For help with disabling dashboard metrics, see [Disabling the Amazon Q Developer dashboard](dashboard-disabling.md). Choose **Create application**. The Amazon Q Developer profile and managed application are created, and the first user is subscribed. 1. (Optional) Verify that the first user's subscription was created: 1. In the Amazon Q Developer console, in the navigation pane, choose **Subscriptions**. 1. In the main pane, choose the **Users** tab. The subscription of the first user should appear in the list in the **Pending** state. If not, refresh your browser tab. **Note** The subscription will change to the **Active** state after the user's first use of Amazon Q Developer features. 1. Have the first user check their email. They should receive an email titled **Activate Your Amazon Q Developer Pro Subscription** within 24 hours. In this email, users will find guidance on how to begin using their Amazon Q Developer Pro license in the AWS Management Console and their Integrated Development Environment (IDE). The email includes users' unique Start URL and AWS Region for authentication, and provides quickstart steps for using Amazon Q Developer in their IDE. This email streamlines the onboarding process and saves you valuable time by eliminating the need for you to manually notify each new user. ## Step 2: Subscribe other users To subscribe other users, add them to your IAM Identity Center instance if they're not already there, and then subscribe them to Amazon Q Developer Pro by choosing **Subscribe** in the Amazon Q Developer console. For instructions on adding users to IAM Identity Center, see [Add users to your IAM Identity Center directory](https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html) in the *AWS IAM Identity Center User Guide*. ## Step 3: Enable identity-enhanced console sessions If you want to allow users to use their Amazon Q Developer Pro subscription [in the AWS Management Console, and on AWS apps and websites](q-on-aws.md), enable identity-enhanced console sessions. For more information, see [Enabling identity-enhanced console sessions](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-aware-sessions.html) in the *AWS IAM Identity Center User Guide*. If you don't enable identity-enhanced console sessions, users can still use Amazon Q in the AWS Management Console, and on AWS apps and websites, but they'll be limited to the Free tier. **Note** The ability to enable identity-enhanced console sessions—and therefore the ability to use Amazon Q Developer Pro subscriptions in the AWS Management Console, and on AWS apps and websites—is only supported with organization instances of IAM Identity Center, not account instances. ## What resources were created? When you subscribed users in your member account, Amazon Q created the following AWS resources on your behalf: + **An account instance of IAM Identity Center**. This instance is only created if the first user you subscribed wasn't found in an existing IAM Identity Center in the member account or management account. For more information about account instances of IAM Identity Center, see [Account instances of IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/account-instances-identity-center.html) in the *AWS IAM Identity Center User Guide*. **Note** Account instances of IAM Identity Center have [limitations](https://docs.aws.amazon.com/singlesignon/latest/userguide/account-instances-identity-center.html#about-account-instance). For example, account instances don't support console access. (Users can still use Amazon Q in the console, it's just that they'll be subject to the Free tier monthly limits.) If you want your users to be able to use Amazon Q Developer Pro in the console and other AWS websites, they must exist in an *organization instance* of IAM Identity Center, in a management account. For more information, see [Subscribe users to Amazon Q Developer Pro in a management account](subscribe-management.md). **Note** You can't convert or merge an account instance of IAM Identity Center into an organization instance. + **The first user**, in IAM Identity Center. (You might have added team members too.) + **Pro tier subscriptions** for the first user and other users, in Amazon Q Developer. + **An Amazon Q Developer profile**, in the Amazon Q Developer console, under **Settings**. + **A managed application** called **QDevProfile-*region***, in IAM Identity Center. The application is associated with the Amazon Q Developer profile. Like the Amazon Q Developer profile, the application is created once and shared between all Amazon Q Developer Pro subscribers in your member account. **Note** Amazon Q can create the **QDevProfile-*region*** managed application in a maximum of 20 AWS accounts per AWS Region within an organization.