JSPM

  • Created
  • Published
  • Downloads 67
  • Score
    100M100P100Q69821F
  • License MIT

OpenCode plugin for AWS Kiro (CodeWhisperer) with IAM Identity Center profile support

Package Exports

  • @kervnet/opencode-kiro-auth
  • @kervnet/opencode-kiro-auth/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@kervnet/opencode-kiro-auth) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

OpenCode Kiro Auth Plugin

npm version npm downloads license

OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude Sonnet and Haiku models with substantial trial quotas.

Features

  • Multiple Auth Methods: Supports AWS Builder ID (IDC), Kiro Desktop (CLI-based), and AWS SSO authentication.
  • Auto-Sync Kiro CLI: Automatically imports and synchronizes active sessions from your local kiro-cli SQLite database.
  • Auto-Sync AWS SSO: Automatically imports credentials from ~/.aws/sso/cache for seamless integration with AWS profiles.
  • Gradual Context Truncation: Intelligently prevents error 400 by reducing context size dynamically during retries.
  • Intelligent Account Rotation: Prioritizes multi-account usage based on lowest available quota.
  • High-Performance Storage: Efficient account and usage management using native Bun SQLite.
  • Native Thinking Mode: Full support for Claude reasoning capabilities via virtual model mappings.
  • Automated Recovery: Exponential backoff for rate limits and automated token refresh.

Installation

Add the plugin to your opencode.json or opencode.jsonc:

{
  "plugin": ["@zhafron/opencode-kiro-auth"],
  "provider": {
    "kiro": {
      "models": {
        "claude-sonnet-4-5": {
          "name": "Claude Sonnet 4.5",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
        },
        "claude-sonnet-4-5-thinking": {
          "name": "Claude Sonnet 4.5 Thinking",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
          "variants": {
            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
            "medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
          }
        },
        "claude-haiku-4-5": {
          "name": "Claude Haiku 4.5",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image"], "output": ["text"] }
        },
        "claude-opus-4-5": {
          "name": "Claude Opus 4.5",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
        },
        "claude-opus-4-5-thinking": {
          "name": "Claude Opus 4.5 Thinking",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
          "variants": {
            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
            "medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
          }
        }
      }
    }
  }
}

Setup

  1. Authentication via Kiro CLI (Recommended):
    • Perform login directly in your terminal using kiro-cli login.
    • The plugin will automatically detect and import your session on startup.
    • For AWS IAM Identity Center (SSO/IDC), the plugin imports both the token and device registration (OIDC client credentials) from the kiro-cli database.
  2. Authentication via AWS SSO:
    • Ensure you have AWS SSO configured in ~/.aws/config with active sessions.
    • The plugin automatically imports credentials from ~/.aws/sso/cache on startup.
    • No additional configuration needed - just use your existing AWS SSO profiles.
  3. Direct Authentication:
    • Run opencode auth login.
    • Select Other, type kiro, and press enter.
    • Follow the instructions for AWS Builder ID (IDC).
  4. Configuration will be automatically managed at ~/.config/opencode/kiro.db.

Troubleshooting

Error: No accounts

This happens when the plugin has no records in ~/.config/opencode/kiro.db.

  1. Ensure kiro-cli login succeeds.
  2. Ensure auto_sync_kiro_cli is true in ~/.config/opencode/kiro.json.
  3. Retry the request; the plugin will attempt a Kiro CLI sync when it detects zero accounts.

Note for IDC/SSO (ODIC): the plugin may temporarily create an account with a placeholder email if it cannot fetch the real email during sync (e.g. offline). It will replace it with the real email once usage/email lookup succeeds.

Configuration

The plugin supports extensive configuration options. Edit ~/.config/opencode/kiro.json:

{
  "auto_sync_kiro_cli": true,
  "auto_sync_aws_sso": true,
  "account_selection_strategy": "lowest-usage",
  "default_region": "us-east-1",
  "rate_limit_retry_delay_ms": 5000,
  "rate_limit_max_retries": 3,
  "max_request_iterations": 20,
  "request_timeout_ms": 120000,
  "token_expiry_buffer_ms": 120000,
  "usage_sync_max_retries": 3,
  "auth_server_port_start": 19847,
  "auth_server_port_range": 10,
  "usage_tracking_enabled": true,
  "enable_log_api_request": false
}

Configuration Options

  • auto_sync_kiro_cli: Automatically sync sessions from Kiro CLI (default: true).
  • auto_sync_aws_sso: Automatically sync credentials from AWS SSO cache (default: true).
  • account_selection_strategy: Account rotation strategy (sticky, round-robin, lowest-usage).
  • default_region: AWS region (us-east-1, us-west-2).
  • rate_limit_retry_delay_ms: Delay between rate limit retries (1000-60000ms).
  • rate_limit_max_retries: Maximum retry attempts for rate limits (0-10).
  • max_request_iterations: Maximum loop iterations to prevent hangs (10-1000).
  • request_timeout_ms: Request timeout in milliseconds (60000-600000ms).
  • token_expiry_buffer_ms: Token refresh buffer time (30000-300000ms).
  • usage_sync_max_retries: Retry attempts for usage sync (0-5).
  • auth_server_port_start: Starting port for auth server (1024-65535).
  • auth_server_port_range: Number of ports to try (1-100).
  • usage_tracking_enabled: Enable usage tracking and toast notifications.
  • enable_log_api_request: Enable detailed API request logging.

Storage

Linux/macOS:

  • SQLite Database: ~/.config/opencode/kiro.db
  • Plugin Config: ~/.config/opencode/kiro.json

Windows:

  • SQLite Database: %APPDATA%\opencode\kiro.db
  • Plugin Config: %APPDATA%\opencode\kiro.json

Acknowledgements

Special thanks to AIClient-2-API for providing the foundational Kiro authentication logic and request patterns.

Disclaimer

This plugin is provided strictly for learning and educational purposes. It is an independent implementation and is not affiliated with, endorsed by, or supported by Amazon Web Services (AWS) or Anthropic. Use of this plugin is at your own risk.

Feel free to open a PR to optimize this plugin further.