Skip to main content

Kiro Provider

Access Amazon CodeWhisperer (AWS) models through Kiro OAuth authentication with flexible browser modes and IDE token import.

Quick Start

# First run (browser opens for AWS SSO)
ccs kiro "explain this code"

# Import token from Kiro IDE
ccs kiro --import

# Use normal browser (not incognito)
ccs kiro --no-incognito

Authentication

OAuth Flow

1

First Run

Run ccs kiro "your prompt" - browser opens for AWS SSO
2

AWS SSO

Sign in with your AWS account (Builder ID or IAM)
3

Token Cached

OAuth token saved to ~/.ccs/cliproxy/auth/kiro-{oauth}-{profile_id}.json
4

Future Runs

Token reused automatically, refreshed when expired
OAuth Specifics:
  • Flow Type: Authorization Code (browser-based)
  • Callback Port: Provider-specific port
  • Token Format: kiro-{oauth}-{profile_id}.json
  • Account ID: Extracted from filename (not email-based)

Browser Mode Control

Kiro supports browser mode customization for reliability: 
# Use normal browser (saves AWS credentials)
ccs kiro --no-incognito
Recommended for Linux - Incognito often fails on Linux systems.Benefits:
  • Saves AWS SSO credentials
  • Faster re-auth on token expiry
  • More reliable on Linux

Configuration

Set default browser mode in ~/.ccs/config.yaml: 
cliproxy:
  kiro_no_incognito: true   # Default: true (normal browser)
On Linux, incognito mode often fails for AWS OAuth. Keep kiro_no_incognito: true for best reliability.

Token Import from Kiro IDE

Skip browser OAuth by importing existing token from Kiro IDE: 
# Import token from Kiro IDE installation
ccs kiro --import

# Output:
# [i] Searching for Kiro IDE token...
# [OK] Token imported from Kiro IDE
# [OK] Account registered: github-ABC123

How Import Works

1

Scan IDE Paths

Checks Kiro IDE config locations (OS-specific)
2

Read Token

Extracts OAuth token from IDE config
3

Copy to CCS

Saves to ~/.ccs/cliproxy/auth/kiro-{oauth}-{profile_id}.json
4

Register Account

Adds to account registry for multi-account management
IDE Config Locations (platform-dependent):
  • Linux: ~/.config/kiro/ or ~/.kiro/
  • macOS: ~/Library/Application Support/Kiro/
  • Windows: %APPDATA%\Kiro\
Import only works if Kiro IDE is installed and authenticated. Otherwise, use standard OAuth flow.

Multi-Account Support

Kiro uses filename-based account identification (no email): 
# Add second account
ccs kiro --auth --add

# List accounts
ccs kiro --accounts

# Output:
# Available Kiro accounts:
# * github-ABC123 (default)
#   github-XYZ789

Account Identification

Pattern: kiro-{oauth}-{profile_id}.json{oauth}-{profile_id} Example:
  • Token file: kiro-github-ABC123.json
  • Account ID: github-ABC123
  • Nickname: Auto-generated from ID or custom via --nickname

Account Commands

# Switch default account
ccs kiro --use github-XYZ789

# Rename account
ccs kiro --nickname work-aws

# Logout (clear tokens)
ccs kiro --logout

Configuration

Config Keys

Configure via ~/.ccs/config.yaml: 
cliproxy:
  # Browser mode (default: true - normal browser)
  kiro_no_incognito: true

  # CLIProxy auth
  auth:
    api_key: "ccs-internal-managed"
    management_secret: "ccs"

Environment Variables

Auto-managed by CCS. Manual override rarely needed.
# Claude CLI injection (auto-set)
ANTHROPIC_BASE_URL=http://127.0.0.1:8317/api/provider/kiro
ANTHROPIC_AUTH_TOKEN=ccs-internal-managed
ANTHROPIC_MODEL=kiro-default   # Model mapping handled by CLIProxy

Commands Reference

Basic Usage

# Execute with Kiro provider
ccs kiro "your prompt"

# One-shot mode
ccs kiro "explain this function"

Authentication Commands

# Standard OAuth (browser)
ccs kiro --auth

# Import token from Kiro IDE
ccs kiro --import

# Add new account
ccs kiro --auth --add

# Logout
ccs kiro --logout

# Headless mode
ccs kiro --headless

Browser Mode

# Use normal browser (default)
ccs kiro --no-incognito

# Force incognito (not recommended on Linux)
# (requires config change - no CLI flag for forcing incognito)

Account Management

# List accounts
ccs kiro --accounts

# Switch account
ccs kiro --use github-XYZ789

# Rename account
ccs kiro --nickname work-aws

Troubleshooting

OAuth Fails on Linux

Symptom: Browser opens but OAuth callback never completes Cause: Incognito mode unreliable on Linux Solution: Ensure normal browser mode enabled: 
# ~/.ccs/config.yaml
cliproxy:
  kiro_no_incognito: true   # Default
Or use --no-incognito flag explicitly: 
ccs kiro --no-incognito --auth

Token Import Fails

Symptom: ccs kiro --import returns “Token not found” Cause: Kiro IDE not installed or not authenticated Solution: Install Kiro IDE and sign in first, or use standard OAuth: 
ccs kiro --auth

AWS SSO Session Expired

Symptom: API errors after token expiry Solution: Re-authenticate: 
# Normal browser saves AWS credentials for faster re-auth
ccs kiro --auth

Wrong Account Being Used

Symptom: Unexpected AWS account in use Solution: Check default account: 
# List accounts (default marked with *)
ccs kiro --accounts

# Switch default
ccs kiro --use github-ABC123

Storage Locations

PathDescription
~/.ccs/cliproxy/auth/kiro-*.jsonOAuth tokens (one per account)
~/.ccs/cliproxy/accounts.jsonAccount registry, nicknames
~/.ccs/cliproxy/config.yamlCLIProxy configuration
~/.ccs/config.yamlGlobal CCS config (browser mode)

Token Structure

Kiro OAuth token file format: 
{
  "type": "codewhisperer",
  "access_token": "...",
  "refresh_token": "...",
  "expired": "2024-12-31T23:59:59Z"
}
Filename Pattern: kiro-{oauth}-{profile_id}.json Account Identification: Extracted from filename (no email field)

AWS SSO Details

Authorization Flow

  1. Browser opens AWS SSO login page
  2. User signs in with Builder ID or IAM credentials
  3. AWS redirects to CCS callback server
  4. OAuth token cached locally
  5. CLIProxyAPI uses token for CodeWhisperer API calls

Token Refresh

  • Automatic refresh via refresh_token
  • Triggered when access_token expires
  • Graceful re-auth prompt if refresh fails
  • Normal browser mode speeds up re-auth (credentials cached)

Advanced Features

Import Mechanism

Token Import Flow: 
ccs kiro --import
  1. Scan IDE paths (OS-specific)
  2. Read config files (JSON/TOML format)
  3. Extract OAuth credentials
  4. Validate token structure
  5. Copy to CCS auth directory
  6. Register in accounts.json
Supported IDE Versions: All versions with OAuth support (v1.0+)

Browser Mode Rationale

Why --no-incognito is Default:
  • Linux Compatibility: Incognito mode has known issues with AWS OAuth on Linux
  • UX: Faster re-auth when credentials cached in normal browser
  • Security Trade-off: Acceptable for single-user machines, override for shared systems
Override for Security: 
# ~/.ccs/config.yaml
cliproxy:
  kiro_no_incognito: false   # Force incognito

Cost Information

TierAccessCost
AWS Builder IDIndividual developersFree tier available
IAM Identity CenterEnterpriseAWS subscription required
Quota: Subject to AWS CodeWhisperer rate limits and quotas.

Next Steps

Multi-Account Setup

Manage multiple AWS accounts

Token Import

Import from Kiro IDE

Browser Modes

Configure incognito vs normal

CLIProxy Config

Advanced CLIProxy settings