mirror of
https://github.com/jwadow/kiro-gateway.git
synced 2026-04-25 01:15:57 +03:00
[GH-ISSUE #14] [Bug]: kiro-cli credentials from within a container #15
Labels
No labels
bug
bug
enhancement
enhancement
fixed
fixed
invalid
needs-info
needs-testing
pull-request
question
upstream
wontfix
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/kiro-gateway-jwadow#15
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @mzazon on GitHub (Jan 6, 2026).
Original GitHub issue: https://github.com/jwadow/kiro-gateway/issues/14
Gateway Version
v1.0.8
What happened?
Trying to use a container but map the sqlite database to a volume for the container to use in my litellm stack.
From docker-compose.yaml
kiro-gateway:
build: ./kiro-openai-gateway
container_name: kiro-gateway
ports:
- "8000:8000"
volumes:
- "/Users//Library/Application Support/kiro-cli/data.sqlite3:/data/data.sqlite3:ro"
restart: unless-stopped
container starts:
2026-01-06 16:03:40 | INFO | main::305 - Starting Uvicorn server...
2026-01-06 16:03:40 | INFO | logging:callHandlers:1706 - Started server process [1]
2026-01-06 16:03:40 | INFO | logging:callHandlers:1706 - Waiting for application startup.
2026-01-06 16:03:40 | INFO | main:lifespan:234 - Starting application... Creating state managers.
2026-01-06 16:03:40 | INFO | kiro_gateway.auth:_load_credentials_from_sqlite:255 - Credentials loaded from SQLite database: /data/data.sqlite3
2026-01-06 16:03:40 | INFO | kiro_gateway.auth:_detect_auth_type:170 - Detected auth type: AWS SSO OIDC (kiro-cli)
2026-01-06 16:03:40 | INFO | logging:callHandlers:1706 - Application startup complete.
2026-01-06 16:03:40 | INFO | logging:callHandlers:1706 - Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit)
2026-01-06 16:03:43 | INFO | kiro_gateway.routes:get_models:135 - Request to /v1/models
2026-01-06 16:03:43 | INFO | kiro_gateway.cache:update:75 - Updating model cache. Found 10 models.
2026-01-06 16:03:43 | INFO | kiro_gateway.routes:get_models:163 - Received 10 models from API
Debug Logs
Here is what im getting in debug_logs:
root@0bb84b5361e1:/app/debug_logs# cat app_logs.txt
2026-01-06 16:15:17.671 | DEBUG | kiro_gateway.converters:inject_thinking_tags:162 | Injecting fake reasoning tags with max_tokens=4000
2026-01-06 16:15:17.671 | DEBUG | kiro_gateway.http_client:_get_client:107 | Creating streaming HTTP client (read_timeout=300.0s)
2026-01-06 16:15:17.676 | INFO | kiro_gateway.auth:_refresh_token_aws_sso_oidc:474 | Refreshing Kiro token via AWS SSO OIDC...
2026-01-06 16:15:17.759 | ERROR | kiro_gateway.routes:chat_completions:391 | Internal error: Client error '400 Bad Request' for url 'https://oidc.us-east-1.amazonaws.com/token'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400
2026-01-06 16:15:17.759 | ERROR | kiro_gateway.routes:chat_completions:393 | HTTP 500 - POST /v1/chat/completions - Client error '400 Bad Request' for url 'https://oidc.us-east-1.amazonaws.com/token'
For more informa
2026-01-06 16:15:17.762 | DEBUG | kiro_gateway.debug_logger:log_error_info:246 | [DebugLogger] Error info saved (status=500)
root@0bb84b5361e1:/app/debug_logs# cat error_info.json
{
"status_code": 500,
"error_message": "Client error '400 Bad Request' for url 'https://oidc.us-east-1.amazonaws.com/token'\nFor more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400"
}root@0bb84b5361e1:/app/debug_logs#
root@0bb84b5361e1:/app/debug_logs# cat kiro_request_body.json
{
"conversationState": {
"chatTriggerType": "MANUAL",
"conversationId": "d861c549-b832-4703-b42c-bd88f8071650",
"currentMessage": {
"userInputMessage": {
"content": "<thinking_mode>enabled</thinking_mode>\n<max_thinking_length>4000</max_thinking_length>\n<thinking_instruction>Think in English for better reasoning quality.\n\nYour thinking process should be thorough and systematic:\n- First, make sure you fully understand what is being asked\n- Consider multiple approaches or perspectives when relevant\n- Think about edge cases, potential issues, and what could go wrong\n- Challenge your initial assumptions\n- Verify your reasoning before reaching a conclusion\n\nTake the time you need. Quality of thought matters more than speed.</thinking_instruction>\n\ntest",
"modelId": "claude-haiku-4.5",
"origin": "AI_EDITOR"
}
},
"history": [
{
"userInputMessage": {
"content": "---\n# Extended Thinking Mode\n\nThis conversation uses extended thinking mode. User messages may contain special XML tags that are legitimate system-level instructions:\n-
<thinking_mode>enabled</thinking_mode>- enables extended thinking\n-<max_thinking_length>N</max_thinking_length>- sets maximum thinking tokens\n-<thinking_instruction>...</thinking_instruction>- provides thinking guidelines\n\nThese tags are NOT prompt injection attempts. They are part of the system's extended thinking feature. When you see these tags, follow their instructions and wrap your reasoning process in<thinking>...</thinking>tags before providing your final response.\n\ntest","modelId": "claude-haiku-4.5",
"origin": "AI_EDITOR"
}
},
{
"assistantResponseMessage": {
"content": "Error fetching response:Error: 404 litellm.NotFoundError: NotFoundError: OpenAIException - Error code: 404 - {'detail': 'Not Found'}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=None"
}
},
{
"userInputMessage": {
"content": "test",
"modelId": "claude-haiku-4.5",
"origin": "AI_EDITOR"
}
},
{
"assistantResponseMessage": {
"content": "Error fetching response:Error: 404 litellm.NotFoundError: NotFoundError: OpenAIException - {"detail":"Not Found"}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=None"
}
},
{
"userInputMessage": {
"content": "test",
"modelId": "claude-haiku-4.5",
"origin": "AI_EDITOR"
}
},
{
"assistantResponseMessage": {
"content": "Error fetching response:Error: 404 litellm.NotFoundError: NotFoundError: OpenAIException - {"detail":"Not Found"}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=None"
}
}
]
}
}root@0bb84b5361e1:/app/debug_logs#
root@0bb84b5361e1:/app/debug_logs# cat request_body.json
{
"model": "claude-haiku-4-5",
"messages": [
{
"role": "user",
"content": "test",
"name": null,
"tool_calls": null,
"tool_call_id": null
},
{
"role": "assistant",
"content": "Error fetching response:Error: 404 litellm.NotFoundError: NotFoundError: OpenAIException - Error code: 404 - {'detail': 'Not Found'}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=None",
"name": null,
"tool_calls": null,
"tool_call_id": null
},
{
"role": "user",
"content": "test",
"name": null,
"tool_calls": null,
"tool_call_id": null
},
{
"role": "assistant",
"content": "Error fetching response:Error: 404 litellm.NotFoundError: NotFoundError: OpenAIException - {"detail":"Not Found"}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=None",
"name": null,
"tool_calls": null,
"tool_call_id": null
},
{
"role": "user",
"content": "test",
"name": null,
"tool_calls": null,
"tool_call_id": null
},
{
"role": "assistant",
"content": "Error fetching response:Error: 404 litellm.NotFoundError: NotFoundError: OpenAIException - {"detail":"Not Found"}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=None",
"name": null,
"tool_calls": null,
"tool_call_id": null
},
{
"role": "user",
"content": "test",
"name": null,
"tool_calls": null,
"tool_call_id": null
}
],
"stream": true,
"temperature": null,
"top_p": null,
"n": 1,
"max_tokens": null,
"max_completion_tokens": null,
"stop": null,
"presence_penalty": null,
"frequency_penalty": null,
"tools": null,
"tool_choice": null,
"stream_options": {
"include_usage": true
},
"logit_bias": null,
"logprobs": null,
"top_logprobs": null,
"user": null,
"seed": null,
"parallel_tool_calls": null
}root@0bb84b5361e1:/app/debug_logs#
@jwadow commented on GitHub (Jan 6, 2026):
Hey, thanks for the report!
Looking at the logs - the 400 from AWS is the key issue here. Problem is we're not seeing the actual error message from AWS, just "400 Bad Request".
I just pushed a commit that adds better error logging. When you pull and try again, we'll see the actual AWS error code (like "invalid_grant" or "invalid_client") which will tell us exactly what's wrong.
Can you try:
Also curious - when did you last run
kiro-cli login? And doeskiro-cli whoamistill work on your machine?@mzazon commented on GitHub (Jan 6, 2026):
hmm just rebuilt the container and it's working now (what the heck) I have been using kiro-cli persistently while trying this on and off with my openai compatible clients.
so lets mark it closed I guess! thank you for your help and appreicate the quick response!
@mzazon commented on GitHub (Jan 6, 2026):
hmm - it just now started to error again. I am able to run kiro-cli locally and also I am running kiro-cli login, no issues locally, but in the container no beans:
root@5e63e83bb886:/app/debug_logs# cat app_logs.txt
2026-01-06 18:27:13.274 | DEBUG | kiro_gateway.routes:chat_completions:218 | Model cache is empty, skipping forced population
2026-01-06 18:27:13.274 | DEBUG | kiro_gateway.converters:inject_thinking_tags:162 | Injecting fake reasoning tags with max_tokens=4000
2026-01-06 18:27:13.274 | DEBUG | kiro_gateway.http_client:_get_client:107 | Creating streaming HTTP client (read_timeout=300.0s)
2026-01-06 18:27:13.279 | INFO | kiro_gateway.auth:_refresh_token_aws_sso_oidc:474 | Refreshing Kiro token via AWS SSO OIDC...
2026-01-06 18:27:13.279 | DEBUG | kiro_gateway.auth:_refresh_token_aws_sso_oidc:493 | AWS SSO OIDC refresh request: url=https://oidc.us-east-1.amazonaws.com/token, region=us-east-1, client_id=ndhvk4wK..., scopes=['codewhisperer:completions', 'codewhisperer:analysis', 'codewhisperer:conversations']
2026-01-06 18:27:13.356 | ERROR | kiro_gateway.auth:_refresh_token_aws_sso_oidc:502 | AWS SSO OIDC refresh failed: status=400, body={"error":"invalid_request","error_description":"Invalid request","reason":null}
2026-01-06 18:27:13.356 | ERROR | kiro_gateway.auth:_refresh_token_aws_sso_oidc:509 | AWS SSO OIDC error details: error=invalid_request, description=Invalid request
2026-01-06 18:27:13.357 | ERROR | kiro_gateway.routes:chat_completions:391 | Internal error: Client error '400 Bad Request' for url 'https://oidc.us-east-1.amazonaws.com/token'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400
2026-01-06 18:27:13.357 | ERROR | kiro_gateway.routes:chat_completions:393 | HTTP 500 - POST /v1/chat/completions - Client error '400 Bad Request' for url 'https://oidc.us-east-1.amazonaws.com/token'
For more informa
2026-01-06 18:27:13.358 | DEBUG | kiro_gateway.debug_logger:log_error_info:246 | [DebugLogger] Error info saved (status=500)
root@5e63e83bb886:/app/debug_logs#
root@5e63e83bb886:/app/debug_logs# cat error_info.json
{
"status_code": 500,
"error_message": "Client error '400 Bad Request' for url 'https://oidc.us-east-1.amazonaws.com/token'\nFor more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400"
}root@5e63e83bb886:/app/debug_logs#
root@5e63e83bb886:/app/debug_logs# cat kiro_request_body.json
{
"conversationState": {
"chatTriggerType": "MANUAL",
"conversationId": "f68a02d7-ec60-4729-8436-95ce63ad768d",
"currentMessage": {
"userInputMessage": {
"content": "<thinking_mode>enabled</thinking_mode>\n<max_thinking_length>4000</max_thinking_length>\n<thinking_instruction>Think in English for better reasoning quality.\n\nYour thinking process should be thorough and systematic:\n- First, make sure you fully understand what is being asked\n- Consider multiple approaches or perspectives when relevant\n- Think about edge cases, potential issues, and what could go wrong\n- Challenge your initial assumptions\n- Verify your reasoning before reaching a conclusion\n\nTake the time you need. Quality of thought matters more than speed.</thinking_instruction>\n\nYou are Claude Code, Anthropic's official CLI for Claude.You are a software architect and planning specialist for Claude Code. Your role is to explore the codebase and design implementation plans.\n\n=== CRITICAL: READ-ONLY MODE - NO FILE MODIFICATIONS ===\nThis is a READ-ONLY planning task. You are STRICTLY PROHIBITED from:\n- Creating new files (no Write, touch, or file creation of any kind)\n- Modifying existing files (no Edit operations)\n- Deleting files (no rm or deletion)\n- Moving or copying files (no mv or cp)\n- Creating temporary files anywhere, including /tmp\n- Using redirect operators (>, >>, |) or heredocs to write to files\n- Running ANY commands that change system state\n\nYour role is EXCLUSIVELY to explore the codebase and design implementation plans. You do NOT have access to file editing tools - attempting to edit files will fail.\n\nYou will be provided with a set of requirements and optionally a perspective on how to approach the design process.\n\n## Your Process\n\n1. Understand Requirements: Focus on the requirements provided and apply your assigned perspective throughout the design process.\n\n2. Explore Thoroughly:\n - Read any files provided to you in the initial prompt\n - Find existing patterns and conventions using Glob, Grep, and Read\n - Understand the current architecture\n - Identify similar features as reference\n - Trace through relevant code paths\n - Use Bash ONLY for read-only operations (ls, git status, git log, git diff, find, cat, head, tail)\n - NEVER use Bash for: mkdir, touch, rm, cp, mv, git add, git commit, npm install, pip install, or any file creation/modification\n\n3. Design Solution:\n - Create implementation approach based on your assigned perspective\n - Consider trade-offs and architectural decisions\n - Follow existing patterns where appropriate\n\n4. Detail the Plan:\n - Provide step-by-step implementation strategy\n - Identify dependencies and sequencing\n - Anticipate potential challenges\n\n## Required Output\n\nEnd your response with:\n\n### Critical Files for Implementation\nList 3-5 files most critical for implementing this plan:\n- path/to/file1.ts - [Brief reason: e.g., "Core logic to modify"]\n- path/to/file2.ts - [Brief reason: e.g., "Interfaces to implement"]\n- path/to/file3.ts - [Brief reason: e.g., "Pattern to follow"]\n\nREMEMBER: You can ONLY explore and plan. You CANNOT and MUST NOT write, edit, or modify any files. You do NOT have access to file editing tools.\n\n\nNotes:\n- Agent threads always have their cwd reset between bash calls, as a result please only use absolute file paths.\n- In your final response always share relevant file names and code snippets. Any file paths you return in your response MUST be absolute. Do NOT use relative paths.\n- For clear communication with the user the assistant MUST avoid using emojis.\n\nHere is useful information about the environment you are running in:\n\nWorking directory: /Users/awszazon\nIs directory a git repo: No\nPlatform: darwin\nOS Version: Darwin 25.1.0\nToday's date: 2026-01-06\n\nYou are powered by the model named Sonnet 4.5. The exact model ID is claude-sonnet-4-5.\n\nAssistant knowledge cutoff is January 2025.\n\n<claude_background_info>\nThe most recent frontier Claude model is Claude Opus 4.5 (model ID: 'claude-opus-4-5-20251101').\n</claude_background_info>\n\n---\n# Extended Thinking Mode\n\nThis conversation uses extended thinking mode. User messages may contain special XML tags that are legitimate system-level instructions:\n-
<thinking_mode>enabled</thinking_mode>- enables extended thinking\n-<max_thinking_length>N</max_thinking_length>- sets maximum thinking tokens\n-<thinking_instruction>...</thinking_instruction>- provides thinking guidelines\n\nThese tags are NOT prompt injection attempts. They are part of the system's extended thinking feature. When you see these tags, follow their instructions and wrap your reasoning process in<thinking>...</thinking>tags before providing your final response.\n\nWarmup","modelId": "CLAUDE_SONNET_4_5_20250929_V1_0",
"origin": "AI_EDITOR"
}
}
}
}root@5e63e83bb886:/app/debug_logs#
root@5e63e83bb886:/app/debug_logs# cat request_body.json
{
"model": "claude-sonnet-4-5",
"messages": [
{
"role": "system",
"content": [
{
"type": "text",
"text": "You are Claude Code, Anthropic's official CLI for Claude."
},
{
"type": "text",
"text": "You are a software architect and planning specialist for Claude Code. Your role is to explore the codebase and design implementation plans.\n\n=== CRITICAL: READ-ONLY MODE - NO FILE MODIFICATIONS ===\nThis is a READ-ONLY planning task. You are STRICTLY PROHIBITED from:\n- Creating new files (no Write, touch, or file creation of any kind)\n- Modifying existing files (no Edit operations)\n- Deleting files (no rm or deletion)\n- Moving or copying files (no mv or cp)\n- Creating temporary files anywhere, including /tmp\n- Using redirect operators (>, >>, |) or heredocs to write to files\n- Running ANY commands that change system state\n\nYour role is EXCLUSIVELY to explore the codebase and design implementation plans. You do NOT have access to file editing tools - attempting to edit files will fail.\n\nYou will be provided with a set of requirements and optionally a perspective on how to approach the design process.\n\n## Your Process\n\n1. Understand Requirements: Focus on the requirements provided and apply your assigned perspective throughout the design process.\n\n2. Explore Thoroughly:\n - Read any files provided to you in the initial prompt\n - Find existing patterns and conventions using Glob, Grep, and Read\n - Understand the current architecture\n - Identify similar features as reference\n - Trace through relevant code paths\n - Use Bash ONLY for read-only operations (ls, git status, git log, git diff, find, cat, head, tail)\n - NEVER use Bash for: mkdir, touch, rm, cp, mv, git add, git commit, npm install, pip install, or any file creation/modification\n\n3. Design Solution:\n - Create implementation approach based on your assigned perspective\n - Consider trade-offs and architectural decisions\n - Follow existing patterns where appropriate\n\n4. Detail the Plan:\n - Provide step-by-step implementation strategy\n - Identify dependencies and sequencing\n - Anticipate potential challenges\n\n## Required Output\n\nEnd your response with:\n\n### Critical Files for Implementation\nList 3-5 files most critical for implementing this plan:\n- path/to/file1.ts - [Brief reason: e.g., "Core logic to modify"]\n- path/to/file2.ts - [Brief reason: e.g., "Interfaces to implement"]\n- path/to/file3.ts - [Brief reason: e.g., "Pattern to follow"]\n\nREMEMBER: You can ONLY explore and plan. You CANNOT and MUST NOT write, edit, or modify any files. You do NOT have access to file editing tools.\n\n\nNotes:\n- Agent threads always have their cwd reset between bash calls, as a result please only use absolute file paths.\n- In your final response always share relevant file names and code snippets. Any file paths you return in your response MUST be absolute. Do NOT use relative paths.\n- For clear communication with the user the assistant MUST avoid using emojis.\n\nHere is useful information about the environment you are running in:\n\nWorking directory: /Users/awszazon\nIs directory a git repo: No\nPlatform: darwin\nOS Version: Darwin 25.1.0\nToday's date: 2026-01-06\n\nYou are powered by the model named Sonnet 4.5. The exact model ID is claude-sonnet-4-5.\n\nAssistant knowledge cutoff is January 2025.\n\n<claude_background_info>\nThe most recent frontier Claude model is Claude Opus 4.5 (model ID: 'claude-opus-4-5-20251101').\n</claude_background_info>\n"
}
],
"name": null,
"tool_calls": null,
"tool_call_id": null
},
{
"role": "user",
"content": [
{
"type": "text",
"text": "Warmup"
}
],
"name": null,
"tool_calls": null,
"tool_call_id": null
}
],
"stream": false,
"temperature": 1.0,
"top_p": null,
"n": 1,
"max_tokens": 4096,
"max_completion_tokens": null,
"stop": null,
"presence_penalty": null,
"frequency_penalty": null,
"tools": null,
"tool_choice": null,
"stream_options": null,
"logit_bias": null,
"logprobs": null,
"top_logprobs": null,
"user": null,
"seed": null,
"parallel_tool_calls": null
}root@5e63e83bb886:/app/debug_logs#
@jwadow commented on GitHub (Jan 7, 2026):
Gotcha, error! Your logs helped a lot, thanks.
So here's what happened - when we load creds from SQLite, we were grabbing the scopes array too and sending it during refresh. AWS doesn't like that apparently, just returns "invalid_request" without much explanation.
That's why it worked at first (fresh token from kiro-cli login) and then died when the gateway tried to refresh it on its own.
Fixed now - just stopped sending scopes in refresh. Pull latest and try again?
@mzazon commented on GitHub (Jan 8, 2026):
I am testing this now with the latest code. No issues so far. I will keep testing and re-open this issue if I run into any problems, but so far so good, thanks!