starred/kiro-gateway-jwadow

Fork 0

mirror of https://github.com/jwadow/kiro-gateway.git synced 2026-04-25 01:15:57 +03:00

[GH-ISSUE #16] [Bug]: AWS SSO OIDC - API host incorrectly uses SSO region instead of us-east-1 #13

New issue

Closed

opened 2026-02-27 07:17:25 +03:00 by kerem · 3 comments

kerem commented

2026-02-27 07:17:25 +03:00

Owner

Originally created by @bhaskoro-muthohar on GitHub (Jan 7, 2026).
Original GitHub issue: https://github.com/jwadow/kiro-gateway/issues/16

Gateway Version

v1.0.8 (commit 69795d1)

What happened?

This is a follow-up to #12 (AWS SSO OIDC support). While the token refresh now correctly uses the SSO region for the OIDC endpoint, the API host is also being set to the SSO region, causing DNS resolution failures.

The Problem

When using KIRO_CLI_DB_FILE with AWS IAM Identity Center credentials from a non-us-east-1 region (e.g., ap-southeast-1), the gateway fails with:

[Errno 8] nodename nor servname provided, or not known

Root Cause

In kiro_gateway/auth.py, the _load_credentials_from_sqlite() method (lines 210-215) sets _api_host based on the region from the SQLite database:

if 'region' in token_data:
    self._region = token_data['region']
    # Update URLs for new region
    self._refresh_url = get_kiro_refresh_url(self._region)
    self._api_host = get_kiro_api_host(self._region)  # BUG: This should stay us-east-1
    self._q_host = get_kiro_q_host(self._region)      # BUG: This should stay us-east-1

This results in:

✅ Token refresh URL: https://oidc.ap-southeast-1.amazonaws.com/token (correct)
❌ API host: https://codewhisperer.ap-southeast-1.amazonaws.com (wrong - doesn't exist)

The CodeWhisperer API is only available in us-east-1, regardless of the SSO region.

Expected Behavior

The gateway should:

Use the SSO region (ap-southeast-1) for OIDC token refresh
Always use us-east-1 for the CodeWhisperer API host

Suggested Fix

if 'region' in token_data:
    # Store SSO region for token refresh only
    sso_region = token_data['region']
    self._refresh_url = get_kiro_refresh_url(sso_region)
    # Note: _api_host and _q_host stay at us-east-1 (CodeWhisperer API region)

Debug Logs

app_logs.txt

2026-01-07 12:44:22 | INFO | kiro_gateway.auth:_load_credentials_from_sqlite:255 | Credentials loaded from SQLite database
2026-01-07 12:44:22 | INFO | kiro_gateway.auth:_detect_auth_type:170 | Detected auth type: AWS SSO OIDC (kiro-cli)
2026-01-07 12:44:35 | INFO | kiro_gateway.routes:chat_completions:199 | Request to /v1/chat/completions (model=claude-sonnet-4-5, stream=False)
2026-01-07 12:44:35 | WARNING | kiro_gateway.http_client:request_with_retry:230 | Request error: [Errno 8] nodename nor servname provided, or not known, waiting 1.0s (attempt 1/3)
2026-01-07 12:44:42 | WARNING | kiro_gateway.routes:chat_completions:384 | HTTP 504 - POST /v1/chat/completions - Streaming failed after 3 attempts. Last error: ConnectError

DNS Verification

# This fails (doesn't exist):
$ nslookup codewhisperer.ap-southeast-1.amazonaws.com
** server can't find codewhisperer.ap-southeast-1.amazonaws.com: NXDOMAIN

# This works (correct endpoint):
$ nslookup codewhisperer.us-east-1.amazonaws.com
Address: 3.233.xxx.xxx

Related: #12 (original AWS SSO OIDC support issue)

Originally created by @bhaskoro-muthohar on GitHub (Jan 7, 2026). Original GitHub issue: https://github.com/jwadow/kiro-gateway/issues/16 ## Gateway Version v1.0.8 (commit 69795d1) ## What happened? This is a follow-up to #12 (AWS SSO OIDC support). While the token refresh now correctly uses the SSO region for the OIDC endpoint, the **API host** is also being set to the SSO region, causing DNS resolution failures. ### The Problem When using `KIRO_CLI_DB_FILE` with AWS IAM Identity Center credentials from a non-us-east-1 region (e.g., `ap-southeast-1`), the gateway fails with: ``` [Errno 8] nodename nor servname provided, or not known ``` ### Root Cause In `kiro_gateway/auth.py`, the `_load_credentials_from_sqlite()` method (lines 210-215) sets `_api_host` based on the region from the SQLite database: ```python if 'region' in token_data: self._region = token_data['region'] # Update URLs for new region self._refresh_url = get_kiro_refresh_url(self._region) self._api_host = get_kiro_api_host(self._region) # BUG: This should stay us-east-1 self._q_host = get_kiro_q_host(self._region) # BUG: This should stay us-east-1 ``` This results in: - ✅ Token refresh URL: `https://oidc.ap-southeast-1.amazonaws.com/token` (correct) - ❌ API host: `https://codewhisperer.ap-southeast-1.amazonaws.com` (wrong - doesn't exist) The CodeWhisperer API is **only available in us-east-1**, regardless of the SSO region. ### Expected Behavior The gateway should: 1. Use the SSO region (`ap-southeast-1`) for OIDC token refresh 2. Always use `us-east-1` for the CodeWhisperer API host ### Suggested Fix ```python if 'region' in token_data: # Store SSO region for token refresh only sso_region = token_data['region'] self._refresh_url = get_kiro_refresh_url(sso_region) # Note: _api_host and _q_host stay at us-east-1 (CodeWhisperer API region) ``` ## Debug Logs ### app_logs.txt ``` 2026-01-07 12:44:22 | INFO | kiro_gateway.auth:_load_credentials_from_sqlite:255 | Credentials loaded from SQLite database 2026-01-07 12:44:22 | INFO | kiro_gateway.auth:_detect_auth_type:170 | Detected auth type: AWS SSO OIDC (kiro-cli) 2026-01-07 12:44:35 | INFO | kiro_gateway.routes:chat_completions:199 | Request to /v1/chat/completions (model=claude-sonnet-4-5, stream=False) 2026-01-07 12:44:35 | WARNING | kiro_gateway.http_client:request_with_retry:230 | Request error: [Errno 8] nodename nor servname provided, or not known, waiting 1.0s (attempt 1/3) 2026-01-07 12:44:42 | WARNING | kiro_gateway.routes:chat_completions:384 | HTTP 504 - POST /v1/chat/completions - Streaming failed after 3 attempts. Last error: ConnectError ``` ### DNS Verification ```bash # This fails (doesn't exist): $ nslookup codewhisperer.ap-southeast-1.amazonaws.com ** server can't find codewhisperer.ap-southeast-1.amazonaws.com: NXDOMAIN # This works (correct endpoint): $ nslookup codewhisperer.us-east-1.amazonaws.com Address: 3.233.xxx.xxx ``` --- **Related:** #12 (original AWS SSO OIDC support issue)

kerem

2026-02-27 07:17:25 +03:00

closed this issue
added the
bug

fixed
labels

kerem commented

2026-02-27 07:17:26 +03:00

Author

Owner

@jwadow commented on GitHub (Jan 7, 2026):

@bhaskoro-muthohar

Thanks for the detailed report, you nailed the exact issue.

Fixed. Now SSO region is stored separately in _sso_region and only used for OIDC token refresh. API hosts (_api_host, _q_host) are no longer touched when loading from SQLite — they stay at us-east-1.

Also updated manual_api_test.py with the same logic so the test script works correctly too.

Can you test it? Just git pull and run.

@jwadow commented on GitHub (Jan 7, 2026): @bhaskoro-muthohar Thanks for the detailed report, you nailed the exact issue. Fixed. Now SSO region is stored separately in `_sso_region` and only used for OIDC token refresh. API hosts (`_api_host`, `_q_host`) are no longer touched when loading from SQLite — they stay at us-east-1. Also updated `manual_api_test.py` with the same logic so the test script works correctly too. Can you test it? Just `git pull` and run.

kerem commented

2026-02-27 07:17:26 +03:00

Author

Owner

@jwadow commented on GitHub (Jan 7, 2026):

Forgot to commit, lol. I hope you haven't started testing yet. Everything should be ready by now.

@jwadow commented on GitHub (Jan 7, 2026): Forgot to commit, lol. I hope you haven't started testing yet. Everything should be ready by now.

kerem commented

2026-02-27 07:17:26 +03:00

Author

Owner

@bhaskoro-muthohar commented on GitHub (Jan 7, 2026):

Tested with commit d5ad4b1 - works perfectly! 🎉

curl http://localhost:8000/v1/chat/completions ...
{"id":"chatcmpl-...","choices":[{"message":{"content":"Hey there, friend!"},"finish_reason":"stop"}]}

Thanks for the quick fix!

@bhaskoro-muthohar commented on GitHub (Jan 7, 2026): Tested with commit d5ad4b1 - works perfectly! 🎉 ``` curl http://localhost:8000/v1/chat/completions ... {"id":"chatcmpl-...","choices":[{"message":{"content":"Hey there, friend!"},"finish_reason":"stop"}]} ``` Thanks for the quick fix!