feat(auth): warn if SSO user has no accounts #3713

Problem:
If the user connects with a IdC/SSO account that is not fully
configured, selecting the connection silently does nothing.

Solution:
Show a error message (unless it was already shown).

Followup to #3704 24917d1

Author: justinmk3

.changes/next-release/Feature-ff7562fc-d346-404a-9e2e-86d57d12d97a.json

@@ -0,0 +1,4 @@
+{
+	"type": "Feature",
+	"description": "IAM Identity Center (SSO): show an error if SSO user is not assigned to an account with a Permission Set"
+}

src/auth/auth.ts

@@ -17,7 +17,7 @@ import { Timeout } from '../shared/utilities/timeoutUtils'
 import { errorCode, isAwsError, isNetworkError, ToolkitError, UnknownError } from '../shared/errors'
 import { getCache } from './sso/cache'
 import { createFactoryFunction, isNonNullable, Mutable } from '../shared/utilities/tsUtils'
-import { builderIdStartUrl, SsoToken } from './sso/model'
+import { builderIdStartUrl, SsoToken, truncateStartUrl } from './sso/model'
 import { SsoClient } from './sso/clients'
 import { getLogger } from '../shared/logger'
 import { CredentialsProviderManager } from './providers/credentialsProviderManager'
@@ -212,9 +212,10 @@ export class Auth implements AuthService, ConnectionManager {
     }
 
     /**
-     * Gathers all AWS accounts/roles associated with SSO ("IAM Identity Center", "IdC") connections.
+     * Gathers all local profiles plus any AWS accounts/roles associated with SSO ("IAM Identity
+     * Center", "IdC") connections.
      *
-     * Use {@link Auth.listConnections} when you do not want to make extra API calls to the SSO service.
+     * Use {@link Auth.listConnections} to avoid API calls to the SSO service.
      */
     public listAndTraverseConnections(): AsyncCollection<Connection> {
         async function* load(this: Auth) {
@@ -233,13 +234,12 @@ export class Auth implements AuthService, ConnectionManager {
                 .listProfiles()
                 .filter(isLinkable)
                 .map(([id, profile]) => {
-                    const startUrl = this.truncateStartUrl(profile.startUrl)
                     return toCollection(() =>
                         loadLinkedProfilesIntoStore(
                             this.store,
                             id,
                             this.createSsoClient(profile.ssoRegion, this.getTokenProvider(id, profile)),
-                            startUrl
+                            profile.startUrl
                         )
                     )
                         .catch(err => {
@@ -750,12 +750,8 @@ export class Auth implements AuthService, ConnectionManager {
         return (this.#instance ??= new Auth(new ProfileStore(memento)))
     }
 
-    private truncateStartUrl(startUrl: string) {
-        return startUrl.match(/https?:\/\/(.*)\.awsapps\.com\/start/)?.[1] ?? startUrl
-    }
-
     private getSsoProfileLabel(profile: SsoProfile) {
-        const truncatedUrl = this.truncateStartUrl(profile.startUrl)
+        const truncatedUrl = truncateStartUrl(profile.startUrl)
 
         return profile.startUrl === builderIdStartUrl
             ? localizedText.builderId()

src/auth/connection.ts

@@ -5,11 +5,18 @@
 import * as vscode from 'vscode'
 import { Credentials } from '@aws-sdk/types'
 import { Mutable } from '../shared/utilities/tsUtils'
-import { builderIdStartUrl, SsoToken } from './sso/model'
+import { builderIdStartUrl, SsoToken, truncateStartUrl } from './sso/model'
 import { SsoClient } from './sso/clients'
 import { CredentialsProviderManager } from './providers/credentialsProviderManager'
 import { fromString } from './providers/credentials'
 import { getLogger } from '../shared/logger/logger'
+import { showMessageWithUrl } from '../shared/utilities/messages'
+import { onceChanged } from '../shared/utilities/functionUtils'
+
+/** Shows an error message unless it is the same as the last one shown. */
+const warnOnce = onceChanged((s: string, url: string) => {
+    showMessageWithUrl(s, url, undefined, 'error')
+})
 
 export const ssoScope = 'sso:account:access'
 export const codecatalystScopes = ['codecatalyst:read_write']
@@ -255,7 +262,7 @@ export async function* loadLinkedProfilesIntoStore(
     store: ProfileStore,
     source: SsoConnection['id'],
     client: SsoClient,
-    profileLabel: string
+    startUrl: string
 ) {
     const accounts = new Set<string>()
     const found = new Set<Connection['id']>()
@@ -290,17 +297,21 @@ export async function* loadLinkedProfilesIntoStore(
         yield [id, profile] as const
     }
 
-    if (accounts.size === 0) {
+    const isBuilderId = startUrl === builderIdStartUrl // Special case.
+    if (!isBuilderId && (accounts.size === 0 || found.size === 0)) {
+        const name = truncateStartUrl(startUrl)
         // Possible causes:
         // - SSO org has no "Permission sets"
         // - user is not an "Assigned user" in any account in the SSO org
         // - user is an "Assigned user" but no "Permission sets"
-        getLogger().warn('auth: SSO org (%s) returned no accounts', profileLabel)
-    } else if (found.size === 0) {
-        getLogger().warn(
-            'auth: SSO org (%s) returned no IAM credentials for account: %s',
-            profileLabel,
-            Array.from(accounts).join()
+        if (accounts.size === 0) {
+            getLogger().warn('auth: SSO org (%s) returned no accounts', name)
+        } else if (found.size === 0) {
+            getLogger().warn('auth: SSO org (%s) returned no roles for account: %s', name, Array.from(accounts).join())
+        }
+        warnOnce(
+            `IAM Identity Center (${name}) returned no roles. Ensure the user is assigned to an account with a Permission Set.`,
+            'https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html'
         )
     }
 

src/auth/sso/model.ts

@@ -82,6 +82,10 @@ export const trustedDomainCancellation = 'TrustedDomainCancellation'
 const tryOpenHelpUrl = (url: vscode.Uri) =>
     openUrl(url).catch(e => getLogger().verbose('auth: failed to open help URL: %s', e))
 
+export function truncateStartUrl(startUrl: string) {
+    return startUrl.match(/https?:\/\/(.*)\.awsapps\.com\/start/)?.[1] ?? startUrl
+}
+
 export async function openSsoPortalLink(
     startUrl: string,
     authorization: { readonly verificationUri: string; readonly userCode: string }

src/auth/ui/vue/show.ts

@@ -91,7 +91,7 @@ export class AuthWebview extends VueWebview {
     }
 
     /**
-     * Returns true if any credentials are found, even ones associated with an sso
+     * Returns true if any credentials are found, including those discovered from SSO service API.
      */
     async isCredentialExists(): Promise<boolean> {
         return (await Auth.instance.listAndTraverseConnections().promise()).find(isIamConnection) !== undefined

src/test/credentials/auth.test.ts

@@ -285,6 +285,20 @@ describe('Auth', function () {
             )
         })
 
+        it('shows a user message if SSO connection returned no accounts/roles', async function () {
+            auth.ssoClient.listAccounts.returns(
+                toCollection(async function* () {
+                    yield []
+                })
+            )
+            await auth.createConnection(linkedSsoProfile)
+            await auth.listAndTraverseConnections().promise()
+            assert.strictEqual(
+                getTestWindow().shownMessages[0].message,
+                'IAM Identity Center (d-0123456789) returned no roles. Ensure the user is assigned to an account with a Permission Set.'
+            )
+        })
+
         it('does not gather linked accounts when calling `listConnections`', async function () {
             await auth.createConnection(linkedSsoProfile)
             const connections = await auth.listConnections()