feat(auth): add STS credential management and mfa verification (#7811)

## Problem
The webview does not support STS credentials input (sessionToken and
roleArn) and endpoint to LSP does not support STS credentials and
profiles.

## Solution
This is part of #7507 and
is built on top of #7797.

- Add STS credentials input box webview, enabling mfa verification if
credentials has assume role with mfa permission
- Modify AuthUtils and auth2.ts to accommodate new IAM profile type
- Add stsCache and other sts handlers to connect to LSP

---
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.

---------

Co-authored-by: Ramon Li <[email protected]>

Author: yuxianrz

package-lock.json

@@ -1196,106 +1196,134 @@
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1d1"
+                    "fontCharacter": "\\f1d3"
                 }
             },
             "aws-mynah-MynahIconBlack": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1d2"
+                    "fontCharacter": "\\f1d4"
                 }
             },
             "aws-mynah-MynahIconWhite": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1d3"
+                    "fontCharacter": "\\f1d5"
                 }
             },
             "aws-mynah-logo": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1d4"
+                    "fontCharacter": "\\f1d6"
                 }
             },
             "aws-redshift-cluster": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1d5"
+                    "fontCharacter": "\\f1d7"
                 }
             },
             "aws-redshift-cluster-connected": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1d6"
+                    "fontCharacter": "\\f1d8"
                 }
             },
             "aws-redshift-database": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1d7"
+                    "fontCharacter": "\\f1d9"
                 }
             },
             "aws-redshift-redshift-cluster-connected": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1d8"
+                    "fontCharacter": "\\f1da"
                 }
             },
             "aws-redshift-schema": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1d9"
+                    "fontCharacter": "\\f1db"
                 }
             },
             "aws-redshift-table": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1da"
+                    "fontCharacter": "\\f1dc"
                 }
             },
             "aws-s3-bucket": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1db"
+                    "fontCharacter": "\\f1dd"
                 }
             },
             "aws-s3-create-bucket": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1dc"
+                    "fontCharacter": "\\f1de"
                 }
             },
             "aws-schemas-registry": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1dd"
+                    "fontCharacter": "\\f1e1"
                 }
             },
             "aws-schemas-schema": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
-                    "fontCharacter": "\\f1de"
+                    "fontCharacter": "\\f1e2"
                 }
             },
             "aws-stepfunctions-preview": {
+                "description": "AWS Contributed Icon",
+                "default": {
+                    "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
+                    "fontCharacter": "\\f1e3"
+                }
+            },
+            "aws-lambda-create-stack": {
+                "description": "AWS Contributed Icon",
+                "default": {
+                    "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
+                    "fontCharacter": "\\f1d1"
+                }
+            },
+            "aws-lambda-create-stack-light": {
+                "description": "AWS Contributed Icon",
+                "default": {
+                    "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
+                    "fontCharacter": "\\f1d2"
+                }
+            },
+            "aws-sagemaker-code-editor": {
                 "description": "AWS Contributed Icon",
                 "default": {
                     "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
                     "fontCharacter": "\\f1df"
                 }
+            },
+            "aws-sagemaker-jupyter-lab": {
+                "description": "AWS Contributed Icon",
+                "default": {
+                    "fontPath": "./resources/fonts/aws-toolkit-icons.woff",
+                    "fontCharacter": "\\f1e0"
+                }
             }
         },
         "walkthroughs": [

packages/amazonq/package.json

@@ -164,6 +164,9 @@ export async function startLanguageServer(
             },
             credentials: {
                 providesBearerToken: true,
+                // Add IAM credentials support
+                providesIamCredentials: true,
+                supportsAssumeRole: true,
             },
         },
         /**
@@ -211,9 +214,10 @@ export async function startLanguageServer(
 
         /** All must be setup before {@link AuthUtil.restore} otherwise they may not trigger when expected */
         AuthUtil.instance.regionProfileManager.onDidChangeRegionProfile(async () => {
+            const activeProfile = AuthUtil.instance.regionProfileManager.activeRegionProfile
             void pushConfigUpdate(client, {
                 type: 'profile',
-                profileArn: AuthUtil.instance.regionProfileManager.activeRegionProfile?.arn,
+                profileArn: activeProfile?.arn,
             })
         })
 

packages/amazonq/src/lsp/client.ts

@@ -11,13 +11,29 @@ import { createTestAuthUtil, TestFolder } from 'aws-core-vscode/test'
 import { constants, cache } from 'aws-core-vscode/auth'
 import { auth2 } from 'aws-core-vscode/auth'
 import { mementoUtils, fs } from 'aws-core-vscode/shared'
+import { GetIamCredentialResult } from '@aws/language-server-runtimes/protocol'
 
 describe('AuthUtil', async function () {
     let auth: any
+    let mockResponse: GetIamCredentialResult
 
     beforeEach(async function () {
         await createTestAuthUtil()
         auth = AuthUtil.instance
+        mockResponse = {
+            credential: {
+                id: 'test-credential-id',
+                kinds: [],
+                credentials: {
+                    accessKeyId: 'encrypted-access-key',
+                    secretAccessKey: 'encrypted-secret-key',
+                    sessionToken: 'encrypted-session-token',
+                },
+            },
+            updateCredentialsParams: {
+                data: 'credential-data',
+            },
+        } satisfies GetIamCredentialResult
     })
 
     afterEach(async function () {
@@ -412,36 +428,51 @@ describe('AuthUtil', async function () {
 
     describe('loginIam', function () {
         it('creates IAM session and logs in', async function () {
-            const mockResponse = {
-                id: 'test-credential-id',
-                credentials: {
-                    accessKeyId: 'encrypted-access-key',
-                    secretAccessKey: 'encrypted-secret-key',
-                    sessionToken: 'encrypted-session-token',
-                },
-                updateCredentialsParams: {
-                    data: 'credential-data',
-                },
-            }
-
             const mockIamLogin = {
                 login: sinon.stub().resolves(mockResponse),
                 loginType: 'iam',
             }
 
             sinon.stub(auth2, 'IamLogin').returns(mockIamLogin as any)
 
-            const response = await auth.loginIam('accessKey', 'secretKey', 'sessionToken')
+            const response = await auth.loginIam({
+                accessKey: 'testAccessKey',
+                secretKey: 'testSecretKey',
+                sessionToken: 'testSessionToken',
+            })
 
             assert.ok(mockIamLogin.login.calledOnce)
             assert.ok(
-                mockIamLogin.login.calledWith({
-                    accessKey: 'accessKey',
-                    secretKey: 'secretKey',
+                mockIamLogin.login.calledWithMatch({
+                    accessKey: 'testAccessKey',
+                    secretKey: 'testSecretKey',
+                    sessionToken: 'testSessionToken',
                 })
             )
             assert.strictEqual(response, mockResponse)
         })
+
+        it('creates IAM session with role ARN', async function () {
+            const mockIamLoginArn = {
+                login: sinon.stub().resolves(mockResponse),
+                loginType: 'iam',
+            }
+
+            sinon.stub(auth2, 'IamLogin').returns(mockIamLoginArn as any)
+
+            const opts: auth2.IamProfileOptions = {
+                accessKey: 'testAccessKey',
+                secretKey: 'testSecretKey',
+                sessionToken: 'testSessionToken',
+                roleArn: 'arn:aws:iam::123456789012:role/TestRole',
+            }
+
+            const response = await auth.loginIam(opts)
+
+            assert.ok(mockIamLoginArn.login.calledOnce)
+            assert.ok(mockIamLoginArn.login.calledWith(opts))
+            assert.strictEqual(response, mockResponse)
+        })
     })
 
     describe('getIamCredential', function () {

packages/amazonq/test/unit/codewhisperer/util/authUtil.test.ts

@@ -443,8 +443,8 @@
         "@aws-sdk/types": "^3.13.1",
         "@aws/chat-client": "^0.1.4",
         "@aws/chat-client-ui-types": "^0.1.53",
-        "@aws/language-server-runtimes": "^0.2.111",
-        "@aws/language-server-runtimes-types": "^0.1.47",
+        "@aws/language-server-runtimes": "^0.2.120",
+        "@aws/language-server-runtimes-types": "^0.1.52",
         "@cspotcode/source-map-support": "^0.8.1",
         "@sinonjs/fake-timers": "^10.0.2",
         "@types/adm-zip": "^0.4.34",