[GH-ISSUE #81] BUG: Region override from credentials file causes connection failure when non-us-east-1 region is unreachable #52

New issue

Open

opened 2026-02-27 07:17:44 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 07:17:44 +03:00

Owner

Originally created by @saurabh-hirani on GitHub (Feb 21, 2026).
Original GitHub issue: https://github.com/jwadow/kiro-gateway/issues/81

Kiro Gateway Version

2.3

What happened?

Problem

When using kiro-gateway with AWS SSO credentials, the auth manager loads the region field from the credentials file (e.g., ~/.aws/sso/cache/*.json) and overrides the default region. If this
region is set to a non-functional endpoint like eu-west-1, all API requests fail with connection errors even though us-east-1 is accessible.

Error Logs

2026-02-21 23:49:17 | INFO | kiro.auth:init:170 - Auth manager initialized: region=us-east-1, api_host=https://q.us-east-1.amazonaws.com, q_host=https://q.us-east-1.amazonaws.com
2026-02-21 23:49:17 | INFO | kiro.auth:_load_credentials_from_file:350 - Region updated from credentials file: region=eu-west-1, api_host=https://q.eu-west-1.amazonaws.com, q_host=https://q.eu-west-1.amazonaws.com
...
2026-02-21 23:50:40 | INFO | kiro.routes_openai:chat_completions:263 - Attempting to connect to Kiro API: https://q.eu-west-1.amazonaws.com/generateAssistantResponse
2026-02-21 23:50:43 | ERROR | kiro.http_client:request_with_retry:285 - Connection failed - unable to establish connection to the server.

Root Cause

the code unconditionally overrides the region from the credentials file without validating endpoint availability.

Workaround

Manually edit the credentials file and change the region:
json
"region": "us-east-1"

Suggested Fix

Add region validation/fallback logic - if the configured region endpoint is unreachable, fall back to us-east-1
Add a configuration option to override/ignore the region from credentials file
Add startup validation that tests the region endpoint and warns users if it's unreachable
Document which regions are supported for Kiro API endpoints

Environment

kiro-gateway version: 2.3
Auth type: AWS SSO OIDC (kiro-cli)
Credentials file: ~/.aws/sso/cache/*.json

Debug Logs

kiro_request_body.json

app_logs.txt

request_body.json

Originally created by @saurabh-hirani on GitHub (Feb 21, 2026). Original GitHub issue: https://github.com/jwadow/kiro-gateway/issues/81 ### Kiro Gateway Version 2.3 ### What happened? ## Problem When using kiro-gateway with AWS SSO credentials, the auth manager loads the region field from the credentials file (e.g., ~/.aws/sso/cache/*.json) and overrides the default region. If this region is set to a non-functional endpoint like eu-west-1, all API requests fail with connection errors even though us-east-1 is accessible. ## Error Logs 2026-02-21 23:49:17 | INFO | kiro.auth:__init__:170 - Auth manager initialized: region=us-east-1, api_host=https://q.us-east-1.amazonaws.com, q_host=https://q.us-east-1.amazonaws.com 2026-02-21 23:49:17 | INFO | kiro.auth:_load_credentials_from_file:350 - Region updated from credentials file: region=eu-west-1, api_host=https://q.eu-west-1.amazonaws.com, q_host=https://q.eu-west-1.amazonaws.com ... 2026-02-21 23:50:40 | INFO | kiro.routes_openai:chat_completions:263 - Attempting to connect to Kiro API: https://q.eu-west-1.amazonaws.com/generateAssistantResponse 2026-02-21 23:50:43 | ERROR | kiro.http_client:request_with_retry:285 - Connection failed - unable to establish connection to the server. ## Root Cause the code unconditionally overrides the region from the credentials file without validating endpoint availability. ## Workaround Manually edit the credentials file and change the region: json "region": "us-east-1" ## Suggested Fix 1. Add region validation/fallback logic - if the configured region endpoint is unreachable, fall back to us-east-1 2. Add a configuration option to override/ignore the region from credentials file 3. Add startup validation that tests the region endpoint and warns users if it's unreachable 4. Document which regions are supported for Kiro API endpoints ## Environment - kiro-gateway version: 2.3 - Auth type: AWS SSO OIDC (kiro-cli) - Credentials file: ~/.aws/sso/cache/*.json ### Debug Logs [kiro_request_body.json](https://github.com/user-attachments/files/25460272/kiro_request_body.json) [app_logs.txt](https://github.com/user-attachments/files/25460279/app_logs.txt) [request_body.json](https://github.com/user-attachments/files/25460288/request_body.json)