Skip to main content

Kiro Provider

Access Amazon CodeWhisperer (AWS) models through Kiro OAuth authentication with flexible browser modes and IDE token import.

Quick Start

# First run (device code flow - default)
ccs kiro "explain this code"

# Use Google OAuth instead
ccs kiro --kiro-google-login

# Import token from Kiro IDE
ccs kiro --import

# Use normal browser (not incognito)
ccs kiro --no-incognito

Authentication

Auth Methods

Since v7.44.0, Kiro supports method-aware authentication with multiple OAuth flows.
MethodFlow TypeCLI FlagPortUse Case
aws (default)Device Code--kiro-aws-loginNoneBest for AWS org support, polling-based
aws-authcodeAuthorization Code--kiro-aws-authcode9876Browser-based redirect
googleAuthorization Code--kiro-google-login9876Social OAuth via Google
githubDevice CodeNoneManagement API only (not CLI)

OAuth Flow

1

First Run

Run ccs kiro "your prompt" - device code displayed for AWS SSO (default method)
2

Choose Method

Or specify: ccs kiro --kiro-google-login for Google OAuth
3

Token Cached

OAuth token saved to ~/.ccs/cliproxy/auth/kiro-{oauth}-{profile_id}.json
4

Future Runs

Token reused automatically, refreshed when expired
OAuth Specifics:
  • Default Flow: Device Code (AWS) - polling-based, no callback port
  • Callback Port: 9876 (only for aws-authcode and google methods)
  • Token Format: kiro-{oauth}-{profile_id}.json
  • Account ID: Extracted from filename (not email-based)

Browser Mode Control

Kiro supports browser mode customization for reliability: 
# Use normal browser (saves AWS credentials)
ccs kiro --no-incognito
Recommended for Linux - Incognito often fails on Linux systems.Benefits:
  • Saves AWS SSO credentials
  • Faster re-auth on token expiry
  • More reliable on Linux

Configuration

Set default browser mode in ~/.ccs/config.yaml: 
cliproxy:
  kiro_no_incognito: true   # Default: true (normal browser)
On Linux, incognito mode often fails for AWS OAuth. Keep kiro_no_incognito: true for best reliability.

Token Import from Kiro IDE

Skip browser OAuth by importing existing token from Kiro IDE: 
# Import token from Kiro IDE installation
ccs kiro --import

# Output:
# [i] Searching for Kiro IDE token...
# [OK] Token imported from Kiro IDE
# [OK] Account registered: github-ABC123

How Import Works

1

Scan IDE Paths

Checks Kiro IDE config locations (OS-specific)
2

Read Token

Extracts OAuth token from IDE config
3

Copy to CCS

Saves to ~/.ccs/cliproxy/auth/kiro-{oauth}-{profile_id}.json
4

Register Account

Adds to account registry for multi-account management
IDE Config Locations (platform-dependent):
  • Linux: ~/.config/kiro/ or ~/.kiro/
  • macOS: ~/Library/Application Support/Kiro/
  • Windows: %APPDATA%\Kiro\
Import only works if Kiro IDE is installed and authenticated. Otherwise, use standard OAuth flow.

Multi-Account Support

Kiro uses filename-based account identification (no email): 
# Add second account
ccs kiro --auth --add

# List accounts
ccs kiro --accounts

# Output:
# Available Kiro accounts:
# * github-ABC123 (default)
#   github-XYZ789

Account Identification

Pattern: kiro-{oauth}-{profile_id}.json{oauth}-{profile_id} Example:
  • Token file: kiro-github-ABC123.json
  • Account ID: github-ABC123
  • Nickname: Auto-generated from ID or custom via --nickname

Account Commands

# Switch default account
ccs kiro --use github-XYZ789

# Rename account
ccs kiro --nickname work-aws

# Logout (clear tokens)
ccs kiro --logout

Configuration

Config Keys

Configure via ~/.ccs/config.yaml: 
cliproxy:
  # Browser mode (default: true - normal browser)
  kiro_no_incognito: true

  # CLIProxy auth
  auth:
    api_key: "ccs-internal-managed"
    management_secret: "ccs"

Environment Variables

Auto-managed by CCS. Manual override rarely needed.
# Claude CLI injection (auto-set)
ANTHROPIC_BASE_URL=http://127.0.0.1:8317/api/provider/kiro
ANTHROPIC_AUTH_TOKEN=ccs-internal-managed
ANTHROPIC_MODEL=kiro-default   # Model mapping handled by CLIProxy

Commands Reference

Basic Usage

# Execute with Kiro provider
ccs kiro "your prompt"

# One-shot mode
ccs kiro "explain this function"

Authentication Commands

# Default AWS device code flow
ccs kiro --auth

# Specific auth methods
ccs kiro --kiro-aws-login       # AWS device code (default)
ccs kiro --kiro-aws-authcode    # AWS authorization code (browser)
ccs kiro --kiro-google-login    # Google OAuth (browser)

# Import token from Kiro IDE
ccs kiro --import

# Add new account
ccs kiro --auth --add

# Logout
ccs kiro --logout

# Headless mode
ccs kiro --headless

Browser Mode

# Use normal browser (default)
ccs kiro --no-incognito

# Force incognito (not recommended on Linux)
# (requires config change - no CLI flag for forcing incognito)

Account Management

# List accounts
ccs kiro --accounts

# Switch account
ccs kiro --use github-XYZ789

# Rename account
ccs kiro --nickname work-aws

Troubleshooting

OAuth Fails on Linux

Symptom: Browser opens but OAuth callback never completes Cause: Incognito mode unreliable on Linux Solution: Ensure normal browser mode enabled: 
# ~/.ccs/config.yaml
cliproxy:
  kiro_no_incognito: true   # Default
Or use --no-incognito flag explicitly: 
ccs kiro --no-incognito --auth

Token Import Fails

Symptom: ccs kiro --import returns “Token not found” Cause: Kiro IDE not installed or not authenticated Solution: Install Kiro IDE and sign in first, or use standard OAuth: 
ccs kiro --auth

AWS SSO Session Expired

Symptom: API errors after token expiry Solution: Re-authenticate: 
# Normal browser saves AWS credentials for faster re-auth
ccs kiro --auth

Wrong Account Being Used

Symptom: Unexpected AWS account in use Solution: Check default account: 
# List accounts (default marked with *)
ccs kiro --accounts

# Switch default
ccs kiro --use github-ABC123

Storage Locations

PathDescription
~/.ccs/cliproxy/auth/kiro-*.jsonOAuth tokens (one per account)
~/.ccs/cliproxy/accounts.jsonAccount registry, nicknames
~/.ccs/cliproxy/config.yamlCLIProxy configuration
~/.ccs/config.yamlGlobal CCS config (browser mode)

Token Structure

Kiro OAuth token file format: 
{
  "type": "codewhisperer",
  "access_token": "...",
  "refresh_token": "...",
  "expired": "2024-12-31T23:59:59Z"
}
Filename Pattern: kiro-{oauth}-{profile_id}.json Account Identification: Extracted from filename (no email field)

AWS SSO Details

Authorization Flow

Device Code (default aws method):
  1. CCS requests device code from AWS OIDC endpoint
  2. User enters code at verification URL
  3. CCS polls for token completion
  4. OAuth token cached locally
Authorization Code (aws-authcode and google methods):
  1. Browser opens OAuth login page
  2. User signs in (AWS SSO or Google)
  3. Redirect to CCS callback server (port 9876)
  4. OAuth token cached locally

Token Refresh

  • Automatic refresh via refresh_token
  • Triggered when access_token expires
  • Graceful re-auth prompt if refresh fails
  • Normal browser mode speeds up re-auth (credentials cached)

Advanced Features

Import Mechanism

Token Import Flow: 
ccs kiro --import
  1. Scan IDE paths (OS-specific)
  2. Read config files (JSON/TOML format)
  3. Extract OAuth credentials
  4. Validate token structure
  5. Copy to CCS auth directory
  6. Register in accounts.json
Supported IDE Versions: All versions with OAuth support (v1.0+)

Browser Mode Rationale

Why --no-incognito is Default:
  • Linux Compatibility: Incognito mode has known issues with AWS OAuth on Linux
  • UX: Faster re-auth when credentials cached in normal browser
  • Security Trade-off: Acceptable for single-user machines, override for shared systems
Override for Security: 
# ~/.ccs/config.yaml
cliproxy:
  kiro_no_incognito: false   # Force incognito

Cost Information

TierAccessCost
AWS Builder IDIndividual developersFree tier available
IAM Identity CenterEnterpriseAWS subscription required
Quota: Subject to AWS CodeWhisperer rate limits and quotas.

Next Steps

Multi-Account Setup

Manage multiple AWS accounts

Token Import

Import from Kiro IDE

Browser Modes

Configure incognito vs normal

CLIProxy Config

Advanced CLIProxy settings