diff --git a/Dockerfile b/Dockerfile index c2b3335..043fc90 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,6 +33,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ sudo \ locales \ procps \ + unzip \ && ln -s /usr/bin/fdfind /usr/local/bin/fd \ && rm -rf /var/lib/apt/lists/* @@ -53,6 +54,18 @@ RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - && \ RUN npm install -g opencode-ai@${OPENCODE_VERSION} && \ opencode --version +# ── AWS CLI v2 (for SSO/Bedrock authentication) ───────────────────── +RUN ARCH=$(case "${TARGETARCH}" in \ + amd64) echo "x86_64" ;; \ + arm64) echo "aarch64" ;; \ + *) echo "x86_64" ;; \ + esac) && \ + curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-${ARCH}.zip" -o /tmp/awscli.zip && \ + unzip -q /tmp/awscli.zip -d /tmp && \ + /tmp/aws/install && \ + rm -rf /tmp/aws /tmp/awscli.zip && \ + aws --version + # ── Optional: Python ───────────────────────────────────────────────── ARG INSTALL_PYTHON=false RUN if [ "${INSTALL_PYTHON}" = "true" ]; then \ diff --git a/README.md b/README.md index 2d2caa0..b9102d0 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ docker compose run --rm devbox - **MCP server support** — Node.js included for `npx`-based MCP servers - **Non-root user** — runs as `developer` (UID 1000) with sudo - **Optional runtimes** — Python, Go via build args (Node.js always included — required for opencode v1.x) +- **AWS CLI v2** — built-in SSO/Bedrock authentication with headless device-code flow - **Multi-arch** — amd64 and arm64 ## Configuration @@ -70,6 +71,25 @@ docker compose build --build-arg INSTALL_PYTHON=true --build-arg INSTALL_GO=true | `INSTALL_PYTHON` | `false` | Python 3 + pip + venv | | `INSTALL_GO` | `false` | Go toolchain | +## AWS Bedrock Authentication + +When using AWS Bedrock as your LLM provider, you need to authenticate via AWS SSO from inside the container. Since the container runs headless (no browser), use the device-code flow: + +```bash +# Start the container interactively +docker compose run --rm devbox bash + +# Authenticate — prints a URL and code you open in your local browser +aws sso login --sso-session --use-device-code + +# Once approved in the browser, start opencode +opencode +``` + +The `--use-device-code` flag outputs a URL and short code instead of trying to open a browser. Copy the URL into any browser (on your laptop, phone, etc.), enter the code, and complete the 2FA flow. The CLI in the container picks up the session automatically. + +SSO sessions typically last 8–12 hours before requiring re-authentication. + ## Architecture ``` @@ -80,7 +100,8 @@ Host Machine Container (Debian bookworm) ├── opencode binary -├── git, ssh, ripgrep, fd, jq, curl +├── AWS CLI v2 (SSO + Bedrock auth) +├── git, ssh, ripgrep, fd, jq, curl, fzf ├── Node.js (for MCP servers) ├── entrypoint.sh (SSH perms, git config, provider setup) └── /workspace ← your code lives here