[GH-ISSUE #12] [Bug]: 401 Unauthorized when using AWS SSO credentials from kiro-cli (IAM Identity Center) #11

New issue

Closed

opened 2026-02-27 07:17:23 +03:00 by kerem · 5 comments

kerem commented 2026-02-27 07:17:23 +03:00

Owner

Copy link

Originally created by @bhaskoro-muthohar on GitHub (Dec 30, 2025).
Original GitHub issue: https://github.com/jwadow/kiro-gateway/issues/12

Gateway Version: v1.0.7

What happened?

I'm attempting to use kiro-openai-gateway with credentials from kiro-cli (installed from kiro.dev), which authenticates via AWS IAM Identity Center. The gateway fails with 401 Unauthorized when trying to refresh the access token.

Setup:

• Using kiro-cli from https://kiro.dev (not Kiro IDE)
• Authenticated with AWS IAM Identity Center (SSO)
• Credentials extracted from ~/.aws/sso/cache/ (AWS SSO cache)
• Using KIRO_CREDS_FILE configuration pointing to SSO credentials file

Error Details:

When running manual_api_test.py, the token refresh fails immediately:

2025-12-30 20:20:49.607 | INFO     | __main__:refresh_auth_token:76 - Refreshing Kiro token...
2025-12-30 20:20:50.550 | ERROR    | __main__:refresh_auth_token:102 - Error refreshing token: 401 Client Error: Unauthorized for url: https://prod.us-east-1.auth.desktop.kiro.dev/refreshToken

Credentials File Format:

The AWS SSO cache file contains:

• accessToken (bearer token)
• refreshToken
• expiresAt (ISO 8601 timestamp)
• region (ap-southeast-1)
• scopes (codewhisperer permissions)
• clientId and clientSecret

Note: The file does NOT contain a profileArn field, but I added it manually from kiro-cli whoami output: arn:aws:codewhisperer:us-east-1:767809606079:profile/QGK3RDN4EE4V

Configuration (.env):

PROXY_API_KEY="kiro-test-gateway-2025"
KIRO_CREDS_FILE="~/.aws/sso/cache/8554ba239ce70011d66ec644889ce01c9544dcf2.json"
KIRO_REGION="us-east-1"
PROFILE_ARN="arn:aws:codewhisperer:us-east-1:767809606079:profile/QGK3RDN4EE4V"
LOG_LEVEL="DEBUG"
DEBUG_MODE="errors"

Questions:

1. Are AWS SSO credentials from kiro-cli compatible with kiro-openai-gateway?
2. Is there a different credential format or authentication flow required?
3. Should the refreshToken from AWS SSO work with the Kiro API token refresh endpoint?

The gateway appears designed for Kiro IDE credentials, but kiro-cli from kiro.dev uses AWS IAM Identity Center authentication. These may be incompatible authentication systems.

Debug Logs:

app_logs.txt:

2025-12-30 18:26:09.534 | DEBUG    | kiro_gateway.routes:chat_completions:215 | Model cache is empty, skipping forced population
2025-12-30 18:26:09.534 | DEBUG    | kiro_gateway.http_client:_get_client:107 | Creating streaming HTTP client (read_timeout=300.0s)
2025-12-30 18:26:09.575 | WARNING  | kiro_gateway.http_client:request_with_retry:230 | Request error: [Errno 8] nodename nor servname provided, or not known, waiting 1.0s (attempt 1/3)
2025-12-30 18:26:10.580 | WARNING  | kiro_gateway.http_client:request_with_retry:230 | Request error: [Errno 8] nodename nor servname provided, or not known, waiting 2.0s (attempt 2/3)
2025-12-30 18:26:12.583 | WARNING  | kiro_gateway.http_client:request_with_retry:230 | Request error: [Errno 8] nodename nor servname provided, or not known, waiting 4.0s (attempt 3/3)
2025-12-30 18:26:16.584 | WARNING  | kiro_gateway.routes:chat_completions:375 | HTTP 504 - POST /v1/chat/completions - Streaming failed after 3 attempts. Last error: ConnectError
2025-12-30 18:26:16.587 | DEBUG    | kiro_gateway.debug_logger:log_error_info:246 | [DebugLogger] Error info saved (status=504)

request_body.json:

{
  "model": "claude-sonnet-4-5",
  "messages": [
    {
      "role": "user",
      "content": "Hi"
    }
  ],
  "stream": false,
  "max_tokens": 5
}

kiro_request_body.json:

{
  "conversationState": {
    "chatTriggerType": "MANUAL",
    "conversationId": "4654e8a9-e0fe-45e3-b4cb-131257f00355",
    "currentMessage": {
      "userInputMessage": {
        "content": "Hi",
        "modelId": "CLAUDE_SONNET_4_5_20250929_V1_0",
        "origin": "AI_EDITOR"
      }
    }
  }
}

error_info.json:

{
  "status_code": 504,
  "error_message": "Streaming failed after 3 attempts. Last error: ConnectError"
}

Additional Test Output (manual_api_test.py):

2025-12-30 20:20:49.607 | INFO     | __main__:<module>:50 - Credentials loaded from ~/.aws/sso/cache/8554ba239ce70011d66ec644889ce01c9544dcf2.json
2025-12-30 20:20:49.607 | INFO     | __main__:<module>:178 - Starting Kiro API tests (credentials from KIRO_CREDS_FILE)...
2025-12-30 20:20:49.607 | INFO     | __main__:refresh_auth_token:76 - Refreshing Kiro token...
2025-12-30 20:20:50.550 | ERROR    | __main__:refresh_auth_token:102 - Error refreshing token: 401 Client Error: Unauthorized for url: https://prod.us-east-1.auth.desktop.kiro.dev/refreshToken
2025-12-30 20:20:50.552 | ERROR    | __main__:<module>:191 - Failed to refresh token. Tests not started.

Originally created by @bhaskoro-muthohar on GitHub (Dec 30, 2025). Original GitHub issue: https://github.com/jwadow/kiro-gateway/issues/12 **Gateway Version:** v1.0.7 ## What happened? I'm attempting to use kiro-openai-gateway with credentials from kiro-cli (installed from kiro.dev), which authenticates via AWS IAM Identity Center. The gateway fails with **401 Unauthorized** when trying to refresh the access token. ### Setup: - Using kiro-cli from https://kiro.dev (not Kiro IDE) - Authenticated with AWS IAM Identity Center (SSO) - Credentials extracted from `~/.aws/sso/cache/` (AWS SSO cache) - Using `KIRO_CREDS_FILE` configuration pointing to SSO credentials file ### Error Details: When running `manual_api_test.py`, the token refresh fails immediately: ``` 2025-12-30 20:20:49.607 | INFO | __main__:refresh_auth_token:76 - Refreshing Kiro token... 2025-12-30 20:20:50.550 | ERROR | __main__:refresh_auth_token:102 - Error refreshing token: 401 Client Error: Unauthorized for url: https://prod.us-east-1.auth.desktop.kiro.dev/refreshToken ``` ### Credentials File Format: The AWS SSO cache file contains: - `accessToken` (bearer token) - `refreshToken` - `expiresAt` (ISO 8601 timestamp) - `region` (ap-southeast-1) - `scopes` (codewhisperer permissions) - `clientId` and `clientSecret` **Note:** The file does NOT contain a `profileArn` field, but I added it manually from `kiro-cli whoami` output: `arn:aws:codewhisperer:us-east-1:767809606079:profile/QGK3RDN4EE4V` ### Configuration (.env): ```env PROXY_API_KEY="kiro-test-gateway-2025" KIRO_CREDS_FILE="~/.aws/sso/cache/8554ba239ce70011d66ec644889ce01c9544dcf2.json" KIRO_REGION="us-east-1" PROFILE_ARN="arn:aws:codewhisperer:us-east-1:767809606079:profile/QGK3RDN4EE4V" LOG_LEVEL="DEBUG" DEBUG_MODE="errors" ``` ### Questions: 1. Are AWS SSO credentials from kiro-cli compatible with kiro-openai-gateway? 2. Is there a different credential format or authentication flow required? 3. Should the `refreshToken` from AWS SSO work with the Kiro API token refresh endpoint? The gateway appears designed for Kiro IDE credentials, but kiro-cli from kiro.dev uses AWS IAM Identity Center authentication. These may be incompatible authentication systems. ## Debug Logs: ### app_logs.txt: ``` 2025-12-30 18:26:09.534 | DEBUG | kiro_gateway.routes:chat_completions:215 | Model cache is empty, skipping forced population 2025-12-30 18:26:09.534 | DEBUG | kiro_gateway.http_client:_get_client:107 | Creating streaming HTTP client (read_timeout=300.0s) 2025-12-30 18:26:09.575 | WARNING | kiro_gateway.http_client:request_with_retry:230 | Request error: [Errno 8] nodename nor servname provided, or not known, waiting 1.0s (attempt 1/3) 2025-12-30 18:26:10.580 | WARNING | kiro_gateway.http_client:request_with_retry:230 | Request error: [Errno 8] nodename nor servname provided, or not known, waiting 2.0s (attempt 2/3) 2025-12-30 18:26:12.583 | WARNING | kiro_gateway.http_client:request_with_retry:230 | Request error: [Errno 8] nodename nor servname provided, or not known, waiting 4.0s (attempt 3/3) 2025-12-30 18:26:16.584 | WARNING | kiro_gateway.routes:chat_completions:375 | HTTP 504 - POST /v1/chat/completions - Streaming failed after 3 attempts. Last error: ConnectError 2025-12-30 18:26:16.587 | DEBUG | kiro_gateway.debug_logger:log_error_info:246 | [DebugLogger] Error info saved (status=504) ``` ### request_body.json: ```json { "model": "claude-sonnet-4-5", "messages": [ { "role": "user", "content": "Hi" } ], "stream": false, "max_tokens": 5 } ``` ### kiro_request_body.json: ```json { "conversationState": { "chatTriggerType": "MANUAL", "conversationId": "4654e8a9-e0fe-45e3-b4cb-131257f00355", "currentMessage": { "userInputMessage": { "content": "Hi", "modelId": "CLAUDE_SONNET_4_5_20250929_V1_0", "origin": "AI_EDITOR" } } } } ``` ### error_info.json: ```json { "status_code": 504, "error_message": "Streaming failed after 3 attempts. Last error: ConnectError" } ``` ### Additional Test Output (manual_api_test.py): ``` 2025-12-30 20:20:49.607 | INFO | __main__:<module>:50 - Credentials loaded from ~/.aws/sso/cache/8554ba239ce70011d66ec644889ce01c9544dcf2.json 2025-12-30 20:20:49.607 | INFO | __main__:<module>:178 - Starting Kiro API tests (credentials from KIRO_CREDS_FILE)... 2025-12-30 20:20:49.607 | INFO | __main__:refresh_auth_token:76 - Refreshing Kiro token... 2025-12-30 20:20:50.550 | ERROR | __main__:refresh_auth_token:102 - Error refreshing token: 401 Client Error: Unauthorized for url: https://prod.us-east-1.auth.desktop.kiro.dev/refreshToken 2025-12-30 20:20:50.552 | ERROR | __main__:<module>:191 - Failed to refresh token. Tests not started. ```

kerem added the

fixed

enhancement

labels 2026-02-27 07:17:23 +03:00

kerem referenced this issue 2026-02-27 07:17:23 +03:00

[GH-ISSUE #11] FR: enable thinking/reasoning mode via thinking tags? #12

kerem closed this issue 2026-02-27 07:17:24 +03:00

kerem commented 2026-02-27 07:17:24 +03:00

Author

Owner

Copy link

@prime399 commented on GitHub (Jan 1, 2026):

I am facing the same issue when testing this is what I got

openai.InternalServerError: Error code: 500 - {'detail': "Internal Server Error: Client error '401 Unauthorized' for url 'https://prod.us-east-1.auth.desktop.kiro.dev/refreshToken'\nFor more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401"}

<!-- gh-comment-id:3703326268 --> @prime399 commented on GitHub (Jan 1, 2026): I am facing the same issue when testing this is what I got `openai.InternalServerError: Error code: 500 - {'detail': "Internal Server Error: Client error '401 Unauthorized' for url 'https://prod.us-east-1.auth.desktop.kiro.dev/refreshToken'\nFor more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401"}`

kerem commented 2026-02-27 07:17:24 +03:00

Author

Owner

Copy link

@uratmangun commented on GitHub (Jan 3, 2026):

you can use this for the refresh token for oidc in kiro-cli,

It detects CodeWhisperer scopes and uses AWS SSO OIDC (`https://oidc.{region}.amazonaws.com/token`) for token refresh

sorry i cant push my kiro-open-gateway coz i got a lot of my api key there i havent clean it up but i think using ai you can implement this yourself i will help when i have time but i can assure that kiro cli is working great with this, sqlite data is in here /.local/share/kiro-cli/data.sqlite3 so you need to extract it yourself then authenticate against it check how kiro cli working by cloning the https://github.com/aws/amazon-q-developer-cli and ask ai to implement the auth thats how i got it working

<!-- gh-comment-id:3706664501 --> @uratmangun commented on GitHub (Jan 3, 2026): you can use this for the refresh token for oidc in kiro-cli, ``` It detects CodeWhisperer scopes and uses AWS SSO OIDC (`https://oidc.{region}.amazonaws.com/token`) for token refresh ``` sorry i cant push my kiro-open-gateway coz i got a lot of my api key there i havent clean it up but i think using ai you can implement this yourself i will help when i have time but i can assure that kiro cli is working great with this, sqlite data is in here `/.local/share/kiro-cli/data.sqlite3` so you need to extract it yourself then authenticate against it check how kiro cli working by cloning the https://github.com/aws/amazon-q-developer-cli and ask ai to implement the auth thats how i got it working

kerem commented 2026-02-27 07:17:25 +03:00

Author

Owner

Copy link

@jwadow commented on GitHub (Jan 3, 2026):

@bhaskoro-muthohar @prime399 @uratmangun

Hi guys,

I've implemented AWS SSO OIDC support based on your feedback. The gateway now automatically detects the authentication type.

Auto-detection: If credentials contain clientId AND clientSecret → uses AWS SSO OIDC endpoint
Two options for kiro-cli:

Option A: JSON file

KIRO_CREDS_FILE="~/.aws/sso/cache/your-cache-file.json"
PROFILE_ARN="arn:aws:codewhisperer:us-east-1:..."

Option B: SQLite database (recommended)

KIRO_CLI_DB_FILE="~/.local/share/kiro-cli/data.sqlite3"
PROFILE_ARN="arn:aws:codewhisperer:us-east-1:..."

Testing needed:

git clone https://github.com/jwadow/kiro-openai-gateway.git
cd kiro-openai-gateway
pip install -r requirements.txt
python manual_api_test.py

Please report: which option you used, whether it works, any errors.

⚠️ Note: I don't have access to AWS IAM Identity Center / kiro-cli credentials myself, so I implemented this based on the amazon-q-developer-cli source code and your descriptions. Your testing feedback is essential before I can publish a release.

<!-- gh-comment-id:3707310187 --> @jwadow commented on GitHub (Jan 3, 2026): @bhaskoro-muthohar @prime399 @uratmangun Hi guys, I've implemented AWS SSO OIDC support based on your feedback. The gateway now automatically detects the authentication type. Auto-detection: If credentials contain clientId AND clientSecret → uses AWS SSO OIDC endpoint Two options for kiro-cli: Option A: JSON file ``` KIRO_CREDS_FILE="~/.aws/sso/cache/your-cache-file.json" PROFILE_ARN="arn:aws:codewhisperer:us-east-1:..." ``` Option B: SQLite database (recommended) ``` KIRO_CLI_DB_FILE="~/.local/share/kiro-cli/data.sqlite3" PROFILE_ARN="arn:aws:codewhisperer:us-east-1:..." ``` Testing needed: ``` git clone https://github.com/jwadow/kiro-openai-gateway.git cd kiro-openai-gateway pip install -r requirements.txt python manual_api_test.py ``` Please report: which option you used, whether it works, any errors. ⚠️ Note: I don't have access to AWS IAM Identity Center / kiro-cli credentials myself, so I implemented this based on the [amazon-q-developer-cli](https://github.com/aws/amazon-q-developer-cli) source code and your descriptions. Your testing feedback is essential before I can publish a release.

kerem commented 2026-02-27 07:17:25 +03:00

Author

Owner

Copy link

@uratmangun commented on GitHub (Jan 4, 2026):

i actually doesnt need this anymore because its working on my side using AI but i want to help debugging it so this is the OPTION A result its working:

for OPTION B:

i got error this is my env:

# Kiro OpenAI Gateway - Environment Configuration

# Password to protect YOUR proxy server
PROXY_API_KEY="my-super-secret-password-123"

# Using kiro-cli SQLite database (AWS SSO)
KIRO_CLI_DB_FILE="~/.local/share/kiro-cli/data.sqlite3"

# Default profile ARN (for Builder ID users)
# This may be auto-detected or not required for AWS SSO OIDC
PROFILE_ARN=

when i run kiro-cli whoami i got only this one:

i also ask ai whats wrong with the auth also showing the amazon-q-cli to check how the auth works and he said that profile_arn is optional for sso oidc as well:

this is the edited manual_api_test.py you might want to take a look, thanks so much for building this btw i also take a look at this lol https://github.com/jwadow/kiro-openai-gateway/issues/11 this is hidden gem for real didnt know that we can trigger thinking lol

<!-- gh-comment-id:3707507805 --> @uratmangun commented on GitHub (Jan 4, 2026): i actually doesnt need this anymore because its working on my side using AI but i want to help debugging it so this is the OPTION A result its working: <img width="569" height="143" alt="Image" src="https://github.com/user-attachments/assets/47222694-1208-40d8-a428-cea33e59821a" /> for OPTION B: i got error this is my env: ``` # Kiro OpenAI Gateway - Environment Configuration # Password to protect YOUR proxy server PROXY_API_KEY="my-super-secret-password-123" # Using kiro-cli SQLite database (AWS SSO) KIRO_CLI_DB_FILE="~/.local/share/kiro-cli/data.sqlite3" # Default profile ARN (for Builder ID users) # This may be auto-detected or not required for AWS SSO OIDC PROFILE_ARN= ``` when i run `kiro-cli whoami` i got only this one: <img width="578" height="64" alt="Image" src="https://github.com/user-attachments/assets/e1fdda1e-3924-4288-94a8-a70e56714144" /> i also ask ai whats wrong with the auth also showing the amazon-q-cli to check how the auth works and he said that profile_arn is optional for sso oidc as well: <img width="323" height="598" alt="Image" src="https://github.com/user-attachments/assets/9e5f7b48-b4e5-45ab-a226-2cb6bcd347d3" /> this is the edited [manual_api_test.py](https://gist.github.com/uratmangun/f55337b0d77faba7d38241a1c6fe896b) you might want to take a look, thanks so much for building this btw i also take a look at this lol https://github.com/jwadow/kiro-openai-gateway/issues/11 this is hidden gem for real didnt know that we can trigger thinking lol

kerem commented 2026-02-27 07:17:25 +03:00

Author

Owner

Copy link

@jwadow commented on GitHub (Jan 4, 2026):

i also take a look at this lol #11 this is hidden gem for real didnt know that we can trigger thinking lol

Yeah, it's a pretty funny thing. I saw something similar (as user) in the https://github.com/GewoonJaap/gemini-cli-openai, but I never dug into their code. And the funniest thing is, it works and solves a bunch of problems with context poisoning on kiro's opus 4.5.

I corrected code by your comments, in theory everything should work correctly. So I’m closing the issue as resolved (I hope if something happens you can write here, I’m new to Github)

Thank you for your contribution.

<!-- gh-comment-id:3707576099 --> @jwadow commented on GitHub (Jan 4, 2026): > i also take a look at this lol [#11](https://github.com/jwadow/kiro-openai-gateway/issues/11) this is hidden gem for real didnt know that we can trigger thinking lol Yeah, it's a pretty funny thing. I saw something similar (as user) in the https://github.com/GewoonJaap/gemini-cli-openai, but I never dug into their code. And the funniest thing is, it works and solves a bunch of problems with context poisoning on kiro's opus 4.5. I corrected code by your comments, in theory everything should work correctly. So I’m closing the issue as resolved (I hope if something happens you can write here, I’m new to Github) Thank you for your contribution.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

v2.3

v2.2

v2.1

v2.0

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

Labels

Clear labels   

bug

  

bug

  

enhancement

  

enhancement

  

fixed

  

fixed

  

invalid

  

needs-info

  

needs-testing

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

upstream

  

wontfix

  

workaround

No labels

bug

bug

enhancement

enhancement

fixed

fixed

invalid

needs-info

needs-testing

pull-request

question

upstream

wontfix

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/kiro-gateway-jwadow#11

No description provided.