How to Connect Kiro IDE to Amazon SageMaker AI Spaces and Set Up Git Integration

A step-by-step guide to remote connectivity from Kiro IDE to SageMaker AI JupyterLab Spaces, Git configuration, and push workflows — including enterprise/VPC environments

---

Overview

This article walks you through the complete setup to:

• Connect Kiro IDE (locally installed) to an Amazon SageMaker AI JupyterLab Space via a secure Remote-SSH tunnel
• Clone, commit, and push code to GitHub/GitLab from within the remote Space using Kiro

The connection uses AWS Systems Manager Session Manager to create a secure WebSocket tunnel — no inbound ports or SSH keys required on the Space side.

---

Architecture

The remote connection from Kiro IDE to SageMaker AI Spaces is built on four layers:

• AWS Toolkit Extension (v3.100+) — Installed in Kiro; handles IAM authentication and provides the SageMaker AI domain/space browser.
• Session Manager Plugin — Critical middleware that establishes a secure WebSocket tunnel between the local IDE and the remote Space.
• SSH over Session Manager — Kiro uses Remote-SSH tunnelled through SSM to connect to the running Space instance.
• Network Connectivity — Outbound HTTPS (port 443) to AWS SSM endpoints is required.

Logical Connection Flow

Local Machine (Kiro + AWS Toolkit + Session Manager Plugin)
    |
    |  HTTPS / WebSocket (port 443)
    v
AWS SSM Endpoints (ssmmessages.<region>.amazonaws.com)
                  (ec2messages.<region>.amazonaws.com)
    |
    |  Secure WebSocket Tunnel (Session Manager)
    v
SageMaker AI JupyterLab Space (EC2 Instance + SSM Agent + SSH Server)
    |
    |  Remote-SSH
    v
Kiro IDE Remote Window <--> /home/sagemaker-user/ workspace

---

Prerequisites

Local Machine Requirements

Component	Minimum Version	Notes
Kiro IDE	v0.8.0+ (rec. v0.10.78+)	Latest version strongly preferred
AWS Toolkit extension	v3.100+	Install from Kiro Extensions marketplace
Session Manager Plugin	v1.1.23.0+	Must be executable; not blocked by security software
Operating System	Win 10/11, macOS 13+, Linux	All platforms supported
Network	Outbound HTTPS 443	To AWS SSM endpoints; via proxy if required

SageMaker AI Domain & Space Configuration

Setting	Required Value	Where to Configure
Remote Access	Enabled	Space settings toggle in SageMaker AI Studio
Space Type	JupyterLab	Space creation wizard
Space State	Running	Start space before connecting
Instance	T3 Large+ (8 GB RAM min)	Instance type selection

IAM Permissions

The IAM user or role used to authenticate in AWS Toolkit must have sagemaker:StartSession on the Space resource ARN:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowStartSession",
            "Effect": "Allow",
            "Action": "sagemaker:StartSession",
            "Resource": "arn:aws:sagemaker:<region>:<account-id>:space/<domain-id>/*"
        }
    ]
}

⚠️ Using Resource: "*" is acceptable for testing but NOT recommended in production. Scope to specific Space ARNs.

Network Requirements (VPC / Enterprise Environments)

⚠️ Missing VPC endpoints are the most common root cause of connectivity failures in enterprise environments.

• VPC Interface Endpoint: ssmmessages — Required for Session Manager WebSocket tunnel. Must be in "Available" state.
• VPC Interface Endpoint: ec2messages — Required alongside ssmmessages. Create both together.
• Alternatively: NAT Gateway — Provides internet access from VPC; eliminates need for individual endpoints.
• Proxy Configuration — If behind a corporate proxy, configure HTTP/HTTPS proxy in Kiro settings AND OS environment variables.

---

Step 1: Connect Kiro to SageMaker AI Space

1.1 Install & Verify Session Manager Plugin

# Verify version (must be >= 1.1.23.0)
session-manager-plugin --version

# Quick execution test
session-manager-plugin "" "" StartSession "" "" ""
# Expected: "The Session Manager plugin was installed successfully..."

⚠️ On Windows, if blocked by enterprise security, move the session-manager-plugin.exe binary to an allowed directory and add it to the PATH.

1.2 Authenticate AWS Toolkit in Kiro

1. Click the AWS Toolkit icon in the left sidebar.
2. Click "Connect to AWS".
3. Choose IAM Credentials (IAM user or role) — use the credentials that have access to the AWS account where your SageMaker AI domain and Space are created.
4. Verify connection is successful.

1.3 Connect to the Space

Method A — From Kiro (AWS Toolkit Explorer):

1. Open AWS Toolkit panel → Explorer section.
2. Expand "SageMaker AI" in the Explorer tree.
3. Your JupyterLab Spaces will appear under the domain.
4. Click "Connect" on a running Space.

Method B — From SageMaker AI Studio Console (Deep Link):

1. Open SageMaker AI Studio in your browser.
2. Navigate to your JupyterLab Space.
3. Click "Open in Kiro" button in the top right corner.
4. Kiro opens and prompts to confirm the connection.

1.4 Remote Window Confirmation

• Kiro opens a new remote window connected to the Space.
• Bottom-left shows green "><" or remote host name.
• Terminal prompt shows: sagemaker-user@default:~$
• Session is valid for up to 12 hours.

---

Step 2: Set Up Git (GitHub / GitLab)

In SageMaker AI, Git can be configured in two ways:

• Method A (Recommended): Register the Git repository at the account/domain level with credentials stored in AWS Secrets Manager — no manual PAT entry required in the terminal.
• Method B (Alternative): Use git clone directly in the terminal with manual credential entry.

Unlike SMUS, SageMaker AI does not use AWS CodeConnections for Git. Instead, it uses its own built-in Git integration with Secrets Manager.

Method A: Register Git Repository with Secrets Manager (Recommended)

This approach stores credentials securely and eliminates the need to enter a PAT manually.

2.1 Store Credentials in AWS Secrets Manager

Create a secret in Secrets Manager with the following format:

{
  "username": "your-github-username",
  "password": "your-github-personal-access-token"
}

⚠️ The secret name must contain the string sagemaker. For GitHub, use a Personal Access Token (PAT) with repo scope in the password field.

2.2 Add Git Repository to SageMaker AI Account

1. Open SageMaker AI console → Under Notebook, choose Git repositories → Add repository.
2. Choose GitHub/Other Git-based repo.
3. Enter repository name and HTTPS URL.
4. Under Git credentials, select the Secrets Manager secret you created.
5. Choose Add repository.

2.3 Attach Repository to Domain or User Profile

You can attach Git repo URLs at the domain level (inherited by all users) or user profile level (scoped to a specific user).

The JupyterLab built-in Git extension can also be used to clone from the UI — it will use the stored credentials automatically.

2.4 Clone and Push from Kiro Terminal

git clone https://github.com/your-org/your-repo.git
cd your-repo
git config --global user.name "Your Name"
git config --global user.email "your.email@example.com"

# Make changes
git add .
git commit -m "your commit message"
git push --set-upstream origin main
# No manual credentials prompt — Secrets Manager handles auth

Method B: Direct Terminal Git (Manual Credentials)

If you prefer not to use Secrets Manager, you can clone directly and enter credentials manually:

git clone https://github.com/your-org/your-repo.git
# Username: your-github-username
# Password=[REDACTED_PASSWORD] PAT with repo scope>

# Store credentials so you don't get prompted again
git config --global credential.helper store

💡 In SageMaker AI JupyterLab Spaces, credentials stored via credential.helper store persist on the EBS volume — they survive instance restarts (unlike SMUS where storage is ephemeral).

For public repositories: No credentials are needed at all. Simply git clone <url> without any authentication setup.

Fix Remote URL (if SSH error occurs)

If you see "Permission denied (publickey)" on push:

git remote -v
# If it shows git@github.com:... switch to HTTPS:
git remote set-url origin https://github.com/your-org/your-repo.git

---

Troubleshooting Quick Reference

Symptom / Error	Likely Cause	Fix
Space not visible in Kiro Explorer	IAM credentials don't have access to the account/domain	Verify IAM user/role has SageMaker permissions in the correct account
"Resource space is not connected"	Session Manager Plugin blocked or missing	Verify plugin installed and not blocked by endpoint security
Connection timeout	Missing VPC endpoints or proxy not configured	Create ssmmessages + ec2messages VPC endpoints; configure proxy
Plugin not allowed to run	Enterprise security blocking binary	Move to allowed path; add to system PATH
"Permission denied (publickey)" on git push	Remote URL set to SSH	git remote set-url origin https://...
Credentials re-prompted every push	credential.helper not configured	git config --global credential.helper store
Remote Access not available	Feature not enabled on the domain/space	Toggle Remote Access ON in Space settings

---

Enterprise Environment Considerations

• Proxy Settings: Configure HTTP/HTTPS proxy in Kiro settings (Ctrl+,) AND in OS environment variables (HTTPS_PROXY, HTTP_PROXY, NO_PROXY).
• Session Manager Plugin Path: If blocked by endpoint security (McAfee, CrowdStrike), copy to a whitelisted directory.
• VPC Endpoints: In air-gapped environments, provision VPC Interface Endpoints for ssmmessages and ec2messages.
• Internal CA / TLS Certificates: For internal GitLab: git config --global http.sslCAInfo /path/to/internal-ca.pem

---

Related Documentation

• Connect your Remote IDE to SageMaker Spaces
• Local IDE Setup (Deep Link + AWS Toolkit)
• IAM Permissions (sagemaker:StartSession)
• VPC without Internet Access Setup
• JupyterLab User Guide