logging: warn if SSO user has no accounts #3704

Problem:
If the user connects with a IdC/SSO account that is not fully
configured, selecting the connection silently does nothing, and does not
log anything.

Solution:
Log a warning.

Author: justinmk3

.changes/next-release/Feature-c5280d31-bcc3-4efa-a493-2f347669dabc.json

@@ -0,0 +1,4 @@
+{
+	"type": "Feature",
+	"description": "IAM Identity Center (SSO): log a warning if SSO user is not linked to an account"
+}

src/auth/auth.ts

@@ -212,7 +212,7 @@ export class Auth implements AuthService, ConnectionManager {
     }
 
     /**
-     * This method will gather all AWS accounts/roles that are associated with SSO connections.
+     * Gathers all AWS accounts/roles associated with SSO ("IAM Identity Center", "IdC") connections.
      *
      * Use {@link Auth.listConnections} when you do not want to make extra API calls to the SSO service.
      */
@@ -232,20 +232,22 @@ export class Auth implements AuthService, ConnectionManager {
             const linked = this.store
                 .listProfiles()
                 .filter(isLinkable)
-                .map(([id, profile]) =>
-                    toCollection(() =>
+                .map(([id, profile]) => {
+                    const startUrl = this.truncateStartUrl(profile.startUrl)
+                    return toCollection(() =>
                         loadLinkedProfilesIntoStore(
                             this.store,
                             id,
-                            this.createSsoClient(profile.ssoRegion, this.getTokenProvider(id, profile))
+                            this.createSsoClient(profile.ssoRegion, this.getTokenProvider(id, profile)),
+                            startUrl
                         )
                     )
                         .catch(err => {
                             getLogger().warn(`auth: failed to load linked profiles from "${id}": %s`, err)
                         })
                         .filter(isNonNullable)
                         .map(entry => this.getConnectionFromStoreEntry(entry))
-                )
+                })
 
             yield* linked.reduce(join, stream)
         }
@@ -748,8 +750,12 @@ export class Auth implements AuthService, ConnectionManager {
         return (this.#instance ??= new Auth(new ProfileStore(memento)))
     }
 
+    private truncateStartUrl(startUrl: string) {
+        return startUrl.match(/https?:\/\/(.*)\.awsapps\.com\/start/)?.[1] ?? startUrl
+    }
+
     private getSsoProfileLabel(profile: SsoProfile) {
-        const truncatedUrl = profile.startUrl.match(/https?:\/\/(.*)\.awsapps\.com\/start/)?.[1] ?? profile.startUrl
+        const truncatedUrl = this.truncateStartUrl(profile.startUrl)
 
         return profile.startUrl === builderIdStartUrl
             ? localizedText.builderId()

src/auth/connection.ts

@@ -9,6 +9,7 @@ import { builderIdStartUrl, SsoToken } from './sso/model'
 import { SsoClient } from './sso/clients'
 import { CredentialsProviderManager } from './providers/credentialsProviderManager'
 import { fromString } from './providers/credentials'
+import { getLogger } from '../shared/logger/logger'
 
 export const ssoScope = 'sso:account:access'
 export const codecatalystScopes = ['codecatalyst:read_write']
@@ -247,18 +248,27 @@ export async function loadIamProfilesIntoStore(store: ProfileStore, manager: Cre
     }
 }
 
+/**
+ * Fetches profiles from the given SSO ("IAM Identity Center", "IdC") connection.
+ */
 export async function* loadLinkedProfilesIntoStore(
     store: ProfileStore,
     source: SsoConnection['id'],
-    client: SsoClient
+    client: SsoClient,
+    profileLabel: string
 ) {
+    const accounts = new Set<string>()
+    const found = new Set<Connection['id']>()
+
     const stream = client
         .listAccounts()
         .flatten()
-        .map(resp => client.listAccountRoles({ accountId: resp.accountId }).flatten())
+        .map(resp => {
+            accounts.add(resp.accountId)
+            return client.listAccountRoles({ accountId: resp.accountId }).flatten()
+        })
         .flatten()
 
-    const found = new Set<Connection['id']>()
     for await (const info of stream) {
         const name = `${info.roleName}-${info.accountId}`
         const id = `sso:${source}#${name}`
@@ -280,6 +290,20 @@ export async function* loadLinkedProfilesIntoStore(
         yield [id, profile] as const
     }
 
+    if (accounts.size === 0) {
+        // Possible causes:
+        // - SSO org has no "Permission sets"
+        // - user is not an "Assigned user" in any account in the SSO org
+        // - user is an "Assigned user" but no "Permission sets"
+        getLogger().warn('auth: SSO org (%s) returned no accounts', profileLabel)
+    } else if (found.size === 0) {
+        getLogger().warn(
+            'auth: SSO org (%s) returned no IAM credentials for account: %s',
+            profileLabel,
+            Array.from(accounts).join()
+        )
+    }
+
     // Clean-up stale references in case the user no longer has access
     for (const [id, profile] of store.listProfiles()) {
         if (profile.type === 'iam' && profile.subtype === 'linked' && profile.ssoSession === source && !found.has(id)) {