OpenCode plugin for AWS Kiro (CodeWhisperer) with IAM Identity Center profile support
npm install @kervnet/opencode-kiro-auth
OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude Sonnet and Haiku models with substantial trial quotas.
- Multiple Auth Methods: Supports AWS Builder ID (IDC), Kiro Desktop (CLI-based), and AWS SSO authentication.
- Auto-Sync Kiro CLI: Automatically imports and synchronizes active sessions from your local kiro-cli SQLite database.
- Auto-Sync AWS SSO: Automatically imports credentials from ~/.aws/sso/cache for seamless integration with AWS profiles.
- Gradual Context Truncation: Intelligently prevents error 400 by reducing context size dynamically during retries.
- Intelligent Account Rotation: Prioritizes multi-account usage based on lowest available quota.
- High-Performance Storage: Efficient account and usage management using native Bun SQLite.
- Native Thinking Mode: Full support for Claude reasoning capabilities via virtual model mappings.
- Automated Recovery: Exponential backoff for rate limits and automated token refresh.
Add the plugin to your opencode.json or opencode.jsonc:
``json`
{
"plugin": ["@zhafron/opencode-kiro-auth"],
"provider": {
"kiro": {
"models": {
"claude-sonnet-4-5": {
"name": "Claude Sonnet 4.5",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
},
"claude-sonnet-4-5-thinking": {
"name": "Claude Sonnet 4.5 Thinking",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
"variants": {
"low": { "thinkingConfig": { "thinkingBudget": 8192 } },
"medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
"max": { "thinkingConfig": { "thinkingBudget": 32768 } }
}
},
"claude-haiku-4-5": {
"name": "Claude Haiku 4.5",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image"], "output": ["text"] }
},
"claude-opus-4-5": {
"name": "Claude Opus 4.5",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
},
"claude-opus-4-5-thinking": {
"name": "Claude Opus 4.5 Thinking",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
"variants": {
"low": { "thinkingConfig": { "thinkingBudget": 8192 } },
"medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
"max": { "thinkingConfig": { "thinkingBudget": 32768 } }
}
}
}
}
}
}
1. Authentication via Kiro CLI (Recommended):
- Perform login directly in your terminal using kiro-cli login.kiro-cli
- The plugin will automatically detect and import your session on startup.
- For AWS IAM Identity Center (SSO/IDC), the plugin imports both the token and device registration (OIDC client credentials) from the database.~/.aws/config
2. Authentication via AWS SSO:
- Ensure you have AWS SSO configured in with active sessions.~/.aws/sso/cache
- The plugin automatically imports credentials from on startup.opencode auth login
- No additional configuration needed - just use your existing AWS SSO profiles.
3. Direct Authentication:
- Run .Other
- Select , type kiro, and press enter.~/.config/opencode/kiro.db
- Follow the instructions for AWS Builder ID (IDC).
4. Configuration will be automatically managed at .
This happens when the plugin has no records in ~/.config/opencode/kiro.db.
1. Ensure kiro-cli login succeeds.auto_sync_kiro_cli
2. Ensure is true in ~/.config/opencode/kiro.json.
3. Retry the request; the plugin will attempt a Kiro CLI sync when it detects zero accounts.
Note for IDC/SSO (ODIC): the plugin may temporarily create an account with a placeholder email if it cannot fetch the real email during sync (e.g. offline). It will replace it with the real email once usage/email lookup succeeds.
The plugin supports extensive configuration options. Edit ~/.config/opencode/kiro.json:
`json`
{
"auto_sync_kiro_cli": true,
"auto_sync_aws_sso": true,
"account_selection_strategy": "lowest-usage",
"default_region": "us-east-1",
"rate_limit_retry_delay_ms": 5000,
"rate_limit_max_retries": 3,
"max_request_iterations": 20,
"request_timeout_ms": 120000,
"token_expiry_buffer_ms": 120000,
"usage_sync_max_retries": 3,
"auth_server_port_start": 19847,
"auth_server_port_range": 10,
"usage_tracking_enabled": true,
"enable_log_api_request": false
}
- auto_sync_kiro_cli: Automatically sync sessions from Kiro CLI (default: true).auto_sync_aws_sso
- : Automatically sync credentials from AWS SSO cache (default: true).account_selection_strategy
- : Account rotation strategy (sticky, round-robin, lowest-usage).default_region
- : AWS region (us-east-1, us-west-2).rate_limit_retry_delay_ms
- : Delay between rate limit retries (1000-60000ms).rate_limit_max_retries
- : Maximum retry attempts for rate limits (0-10).max_request_iterations
- : Maximum loop iterations to prevent hangs (10-1000).request_timeout_ms
- : Request timeout in milliseconds (60000-600000ms).token_expiry_buffer_ms
- : Token refresh buffer time (30000-300000ms).usage_sync_max_retries
- : Retry attempts for usage sync (0-5).auth_server_port_start
- : Starting port for auth server (1024-65535).auth_server_port_range
- : Number of ports to try (1-100).usage_tracking_enabled
- : Enable usage tracking and toast notifications.enable_log_api_request
- : Enable detailed API request logging.
Linux/macOS:
- SQLite Database: ~/.config/opencode/kiro.db
- Plugin Config:
Windows:
- SQLite Database: %APPDATA%\opencode\kiro.db
- Plugin Config:
Special thanks to AIClient-2-API for providing the foundational Kiro authentication logic and request patterns.
This plugin is provided strictly for learning and educational purposes. It is an independent implementation and is not affiliated with, endorsed by, or supported by Amazon Web Services (AWS) or Anthropic. Use of this plugin is at your own risk.
Feel free to open a PR to optimize this plugin further.