Skip to main content

Kiro Provider

Access Kiro through CCS with AWS Builder ID, IAM Identity Center (IDC), and token-import flows. CCS also adds browser-mode control and multi-account management on top of the upstream auth paths.

Quick Start

# Default Builder ID flow
ccs kiro --auth

# AWS Builder ID auth-code flow with manual callback paste
ccs kiro --auth --kiro-auth-method aws-authcode --paste-callback

# IAM Identity Center (IDC) flow
ccs kiro --auth --kiro-auth-method idc --kiro-idc-start-url https://d-xxx.awsapps.com/start

# Import an existing token from Kiro IDE
ccs kiro --import
Kiro provides a free tier via AWS Builder ID, so the default aws path is the best starting point for most users.

Authentication

Auth Methods

MethodAvailabilityTypical use
awsCLI + dashboardDefault AWS Builder ID device-code flow
aws-authcodeCLI + dashboardAWS Builder ID auth-code flow via local callback server
googleCLI + dashboardGoogle OAuth auth-code flow
idcCLI + dashboardIAM Identity Center with required start URL
githubDashboard account-management flowManagement-only social OAuth flow
The default ccs kiro --auth path is aws. When upstream shows a Builder ID vs IDC chooser, CCS auto-selects the Builder ID option instead of waiting for manual input.

Callback And Paste-Callback

Callback-based methods can use --paste-callback when CCS cannot receive the redirect directly: 
ccs kiro --auth --kiro-auth-method aws-authcode --paste-callback
ccs kiro --auth --kiro-auth-method google --paste-callback
Use this when you are authenticating through SSH, reverse proxies, or other environments where the local callback listener is blocked.

IDC

IDC requires a start URL: 
ccs kiro --auth --kiro-auth-method idc \
  --kiro-idc-start-url https://d-xxx.awsapps.com/start
Optional IDC flags: 
ccs kiro --auth --kiro-auth-method idc \
  --kiro-idc-start-url https://d-xxx.awsapps.com/start \
  --kiro-idc-region us-east-1 \
  --kiro-idc-flow device
--kiro-idc-flow defaults to authcode. Use device only when you intentionally want the device-code variant.

Browser Mode

Kiro defaults to normal browser mode in current CCS releases: 
cliproxy:
  kiro_no_incognito: true
That keeps AWS login state available for re-auth and avoids common Linux incognito failures. Use --no-incognito when you want to make that choice explicit from the CLI.

Token Import From Kiro IDE

ccs kiro --import
CCS scans the local Kiro IDE installation, copies the token into ~/.ccs/cliproxy/auth/, and registers the account for normal CCS usage.
Import is the fastest recovery path when Kiro IDE is already authenticated.

Multi-Account Support

Kiro accounts use filename-derived identifiers instead of email: 
ccs kiro --auth --add
ccs kiro --accounts
ccs kiro --use github-XYZ789
ccs kiro --nickname work-aws
ccs kiro --logout
This keeps account identity stable even when the provider does not expose an email address.

Configuration

cliproxy:
  kiro_no_incognito: true
  auth:
    api_key: "ccs-internal-managed"
    management_secret: "ccs"

Commands Reference

# Start default Builder ID auth
ccs kiro --auth

# Use a specific CLI auth method
ccs kiro --auth --kiro-auth-method aws-authcode
ccs kiro --auth --kiro-auth-method google
ccs kiro --auth --kiro-auth-method idc --kiro-idc-start-url https://d-xxx.awsapps.com/start

# Use manual callback paste for callback-based methods
ccs kiro --auth --kiro-auth-method aws-authcode --paste-callback

# Import from IDE instead of browser auth
ccs kiro --import
GitHub-backed Kiro account addition is handled from the dashboard account flow, not from the direct CLI launch path.

Troubleshooting

Kiro auth keeps failing on Linux

  • Keep cliproxy.kiro_no_incognito: true
  • Prefer the Builder ID device flow first: ccs kiro --auth
  • Use --paste-callback for callback-based flows when redirects cannot reach CCS

IDC fails immediately

  • Make sure --kiro-idc-start-url is present
  • Check that the start URL belongs to the expected AWS Identity Center tenant
  • Try --kiro-idc-flow device if authcode flow is blocked in your environment

Import cannot find a token

  • Confirm Kiro IDE is installed and already authenticated
  • If import still fails, fall back to ccs kiro --auth

The wrong account is being used

  • Run ccs kiro --accounts
  • Switch with ccs kiro --use <account-id>
  • Rename the intended account with ccs kiro --nickname <name> if the current filename-derived ID is too ambiguous

Next Steps