fix(cwl): pass credentials to LiveTail client #5993

keeganirby · web-flow · commit 30d92171efba · 2024-11-13T12:09:28.000-08:00
## Problem
When creating the CloudWatchClient for a LiveTail session, we are not
specifying which credentials to use. This is causing the client to
always use the `Default` credential profile, even if a different AWS
Credential profile is selected within AWSToolkit.

## Solution
Resolve the active AWS credential from `globals.awsContext`, and supply
that to the LiveTailSession constructor. These credentials are then use
to construct the CWL client.
diff --git a/packages/core/src/awsService/cloudWatchLogs/commands/tailLogGroup.ts b/packages/core/src/awsService/cloudWatchLogs/commands/tailLogGroup.ts
@@ -13,7 +13,7 @@ import {
     LiveTailSessionUpdate,
     StartLiveTailResponseStream,
 } from '@aws-sdk/client-cloudwatch-logs'
-import { getLogger, ToolkitError } from '../../../shared'
+import { getLogger, globals, ToolkitError } from '../../../shared'
 import { uriToKey } from '../cloudWatchLogsUtils'
 
 export async function tailLogGroup(
@@ -25,12 +25,16 @@ export async function tailLogGroup(
     if (!wizardResponse) {
         throw new CancellationError('user')
     }
-
+    const awsCredentials = await globals.awsContext.getCredentials()
+    if (awsCredentials === undefined) {
+        throw new ToolkitError('Failed to start LiveTail session: credentials are undefined.')
+    }
     const liveTailSessionConfig: LiveTailSessionConfiguration = {
         logGroupArn: wizardResponse.regionLogGroupSubmenuResponse.data,
         logStreamFilter: wizardResponse.logStreamFilter,
         logEventFilterPattern: wizardResponse.filterPattern,
         region: wizardResponse.regionLogGroupSubmenuResponse.region,
+        awsCredentials: awsCredentials,
     }
     const session = new LiveTailSession(liveTailSessionConfig)
     if (registry.has(uriToKey(session.uri))) {
diff --git a/packages/core/src/awsService/cloudWatchLogs/registry/liveTailSession.ts b/packages/core/src/awsService/cloudWatchLogs/registry/liveTailSession.ts
@@ -3,6 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 import * as vscode from 'vscode'
+import * as AWS from '@aws-sdk/types'
 import {
     CloudWatchLogsClient,
     StartLiveTailCommand,
@@ -19,6 +20,7 @@ export type LiveTailSessionConfiguration = {
     logStreamFilter?: LogStreamFilterResponse
     logEventFilterPattern?: string
     region: string
+    awsCredentials: AWS.Credentials
 }
 
 export type LiveTailSessionClient = {
@@ -49,6 +51,7 @@ export class LiveTailSession {
         this.logStreamFilter = configuration.logStreamFilter
         this.liveTailClient = {
             cwlClient: new CloudWatchLogsClient({
+                credentials: configuration.awsCredentials,
                 region: configuration.region,
                 customUserAgent: getUserAgent(),
             }),
diff --git a/packages/core/src/test/awsService/cloudWatchLogs/commands/tailLogGroup.test.ts b/packages/core/src/test/awsService/cloudWatchLogs/commands/tailLogGroup.test.ts
@@ -20,13 +20,14 @@ import {
 import { getTestWindow } from '../../../shared/vscode/window'
 import { CloudWatchLogsSettings, uriToKey } from '../../../../awsService/cloudWatchLogs/cloudWatchLogsUtils'
 import { installFakeClock } from '../../../testUtil'
-import { DefaultAwsContext } from '../../../../shared'
+import { DefaultAwsContext, ToolkitError } from '../../../../shared'
 
 describe('TailLogGroup', function () {
     const testLogGroup = 'test-log-group'
     const testRegion = 'test-region'
     const testMessage = 'test-message'
     const testAwsAccountId = '1234'
+    const testAwsCredentials = {} as any as AWS.Credentials
 
     let sandbox: sinon.SinonSandbox
     let registry: LiveTailSessionRegistry
@@ -57,6 +58,8 @@ describe('TailLogGroup', function () {
 
     it('starts LiveTailSession and writes to document. Closes tab and asserts session gets closed.', async function () {
         sandbox.stub(DefaultAwsContext.prototype, 'getCredentialAccountId').returns(testAwsAccountId)
+        sandbox.stub(DefaultAwsContext.prototype, 'getCredentials').returns(Promise.resolve(testAwsCredentials))
+
         wizardSpy = sandbox.stub(TailLogGroupWizard.prototype, 'run').callsFake(async function () {
             return getTestWizardResponse()
         })
@@ -122,6 +125,19 @@ describe('TailLogGroup', function () {
         assert.strictEqual(stopLiveTailSessionSpy.calledOnce, true)
     })
 
+    it('throws if crendentials are undefined', async function () {
+        sandbox.stub(DefaultAwsContext.prototype, 'getCredentials').returns(Promise.resolve(undefined))
+        wizardSpy = sandbox.stub(TailLogGroupWizard.prototype, 'run').callsFake(async function () {
+            return getTestWizardResponse()
+        })
+        await assert.rejects(async () => {
+            await tailLogGroup(registry, {
+                groupName: testLogGroup,
+                regionName: testRegion,
+            })
+        }, ToolkitError)
+    })
+
     it('closeSession removes session from registry and calls underlying stopLiveTailSession function.', function () {
         stopLiveTailSessionSpy = sandbox
             .stub(LiveTailSession.prototype, 'stopLiveTailSession')
@@ -132,6 +148,7 @@ describe('TailLogGroup', function () {
         const session = new LiveTailSession({
             logGroupArn: testLogGroup,
             region: testRegion,
+            awsCredentials: testAwsCredentials,
         })
         registry.set(uriToKey(session.uri), session)
 
@@ -145,6 +162,7 @@ describe('TailLogGroup', function () {
         const session = new LiveTailSession({
             logGroupArn: testLogGroup,
             region: testRegion,
+            awsCredentials: testAwsCredentials,
         })
         const testData = 'blah blah blah'
         const document = await vscode.workspace.openTextDocument(session.uri)
diff --git a/packages/core/src/test/awsService/cloudWatchLogs/registry/liveTailRegistry.test.ts b/packages/core/src/test/awsService/cloudWatchLogs/registry/liveTailRegistry.test.ts
@@ -11,12 +11,14 @@ import { cloudwatchLogsLiveTailScheme } from '../../../../shared/constants'
 describe('LiveTailSession URI', async function () {
     const testLogGroupName = 'test-log-group'
     const testRegion = 'test-region'
+    const testAwsCredentials = {} as any as AWS.Credentials
     const expectedUriBase = `${cloudwatchLogsLiveTailScheme}:${testRegion}:${testLogGroupName}`
 
     it('is correct with no logStream filter, no filter pattern', function () {
         const config: LiveTailSessionConfiguration = {
             logGroupArn: testLogGroupName,
             region: testRegion,
+            awsCredentials: testAwsCredentials,
         }
         const expectedUri = vscode.Uri.parse(expectedUriBase)
         const uri = createLiveTailURIFromArgs(config)
@@ -28,6 +30,7 @@ describe('LiveTailSession URI', async function () {
             logGroupArn: testLogGroupName,
             region: testRegion,
             logEventFilterPattern: 'test-filter',
+            awsCredentials: testAwsCredentials,
         }
         const expectedUri = vscode.Uri.parse(`${expectedUriBase}:test-filter`)
         const uri = createLiveTailURIFromArgs(config)
@@ -41,6 +44,7 @@ describe('LiveTailSession URI', async function () {
             logStreamFilter: {
                 type: 'all',
             },
+            awsCredentials: testAwsCredentials,
         }
         const expectedUri = vscode.Uri.parse(`${expectedUriBase}:all`)
         const uri = createLiveTailURIFromArgs(config)
@@ -55,6 +59,7 @@ describe('LiveTailSession URI', async function () {
                 type: 'prefix',
                 filter: 'test-prefix',
             },
+            awsCredentials: testAwsCredentials,
         }
         const expectedUri = vscode.Uri.parse(`${expectedUriBase}:prefix:test-prefix`)
         const uri = createLiveTailURIFromArgs(config)
@@ -69,6 +74,7 @@ describe('LiveTailSession URI', async function () {
                 type: 'specific',
                 filter: 'test-stream',
             },
+            awsCredentials: testAwsCredentials,
         }
         const expectedUri = vscode.Uri.parse(`${expectedUriBase}:specific:test-stream`)
         const uri = createLiveTailURIFromArgs(config)
@@ -84,6 +90,7 @@ describe('LiveTailSession URI', async function () {
                 filter: 'test-stream',
             },
             logEventFilterPattern: 'test-filter',
+            awsCredentials: testAwsCredentials,
         }
         const expectedUri = vscode.Uri.parse(`${expectedUriBase}:specific:test-stream:test-filter`)
         const uri = createLiveTailURIFromArgs(config)
