add sts credentials and webview, add autofill for IAM and STS

Author: yuxianrz

packages/amazonq/src/extensionNode.ts

@@ -100,8 +100,8 @@ async function activateAmazonQNode(context: vscode.ExtensionContext) {
 async function getAuthState(): Promise<Omit<AuthUserState, 'source'>> {
     const state = AuthUtil.instance.getAuthState()
 
-    if (AuthUtil.instance.isConnected() && !(AuthUtil.instance.isSsoSession() || isSageMaker())) {
-        getLogger().error('Current Amazon Q connection is not SSO')
+    if (AuthUtil.instance.isConnected() && !(AuthUtil.instance.isSsoSession() || AuthUtil.instance.isIamSession() || isSageMaker())) {
+        getLogger().error('Current Amazon Q connection is not SSO nor IAM')
     }
 
     return {

packages/amazonq/src/lsp/client.ts

@@ -164,6 +164,9 @@ export async function startLanguageServer(
             },
             credentials: {
                 providesBearerToken: true,
+                // Add IAM credentials support
+                providesIamCredentials: true,
+                supportsAssumeRole: true,
             },
         },
         /**
@@ -211,9 +214,10 @@ export async function startLanguageServer(
 
         /** All must be setup before {@link AuthUtil.restore} otherwise they may not trigger when expected */
         AuthUtil.instance.regionProfileManager.onDidChangeRegionProfile(async () => {
+            const activeProfile = AuthUtil.instance.regionProfileManager.activeRegionProfile
             void pushConfigUpdate(client, {
                 type: 'profile',
-                profileArn: AuthUtil.instance.regionProfileManager.activeRegionProfile?.arn,
+                profileArn: activeProfile?.arn,
             })
         })
 
@@ -286,6 +290,11 @@ async function postStartLanguageServer(
             sso: {
                 startUrl: AuthUtil.instance.connection?.startUrl,
             },
+            // Add IAM credentials metadata
+            iam: {
+                region: AuthUtil.instance.connection?.region,
+                accesskey: AuthUtil.instance.connection?.accessKey,
+            },
         }
     })
 

packages/core/src/auth/auth2.ts

@@ -12,16 +12,20 @@ import {
     GetIamCredentialParams,
     getIamCredentialRequestType,
     GetIamCredentialResult,
+    InvalidateStsCredentialResult,
     IamIdentityCenterSsoTokenSource,
     InvalidateSsoTokenParams,
+    InvalidateStsCredentialParams,
     invalidateSsoTokenRequestType,
+    invalidateStsCredentialRequestType,
     ProfileKind,
     UpdateProfileParams,
     updateProfileRequestType,
     SsoTokenChangedParams,
-    // StsCredentialChangedParams,
+    StsCredentialChangedParams,
+    StsCredentialChangedKind,
     ssoTokenChangedRequestType,
-    // stsCredentialChangedRequestType,
+    stsCredentialChangedRequestType,
     AwsBuilderIdSsoTokenSource,
     UpdateCredentialsParams,
     AwsErrorCodes,
@@ -36,6 +40,7 @@ import {
     iamCredentialsDeleteNotificationType,
     bearerCredentialsDeleteNotificationType,
     bearerCredentialsUpdateRequestType,
+    SsoTokenChangedKind,
     RequestType,
     ResponseMessage,
     NotificationType,
@@ -44,16 +49,12 @@ import {
     iamCredentialsUpdateRequestType,
     Profile,
     SsoSession,
-    SsoTokenChangedKind,
-    // invalidateStsCredentialRequestType,
-    // InvalidateStsCredentialParams,
-    // InvalidateStsCredentialResult,
 } from '@aws/language-server-runtimes/protocol'
 import { LanguageClient } from 'vscode-languageclient'
 import { getLogger } from '../shared/logger/logger'
 import { ToolkitError } from '../shared/errors'
 import { useDeviceFlow } from './sso/ssoAccessTokenProvider'
-import { getCacheDir, getCacheFileWatcher, getFlareCacheFileName } from './sso/cache'
+import { getCacheDir, getCacheFileWatcher, getFlareCacheFileName, getStsCacheDir } from './sso/cache'
 import { VSCODE_EXTENSION_ID } from '../shared/extensions'
 import { IamCredentials } from '@aws/language-server-runtimes-types'
 
@@ -83,6 +84,8 @@ export type LoginType = (typeof LoginTypes)[keyof typeof LoginTypes]
 
 export type cacheChangedEvent = 'delete' | 'create'
 
+export type stsCacheChangedEvent = 'delete' | 'create'
+
 export type Login = SsoLogin | IamLogin
 
 export type TokenSource = IamIdentityCenterSsoTokenSource | AwsBuilderIdSsoTokenSource
@@ -92,6 +95,7 @@ export type TokenSource = IamIdentityCenterSsoTokenSource | AwsBuilderIdSsoToken
  */
 export class LanguageClientAuth {
     readonly #ssoCacheWatcher = getCacheFileWatcher(getCacheDir(), getFlareCacheFileName(VSCODE_EXTENSION_ID.amazonq))
+    readonly #stsCacheWatcher = getCacheFileWatcher(getStsCacheDir(), getFlareCacheFileName(VSCODE_EXTENSION_ID.amazonq))
 
     constructor(
         private readonly client: LanguageClient,
@@ -103,6 +107,10 @@ export class LanguageClientAuth {
         return this.#ssoCacheWatcher
     }
 
+    public get stsCacheWatcher() {
+        return this.#stsCacheWatcher
+    }
+
     getSsoToken(
         tokenSource: TokenSource,
         login: boolean = false,
@@ -155,6 +163,7 @@ export class LanguageClientAuth {
                     sso_session: profileName,
                     aws_access_key_id: '',
                     aws_secret_access_key: '',
+                    role_arn: '',
                 },
             },
             ssoSession: {
@@ -259,24 +268,29 @@ export class LanguageClientAuth {
         } satisfies InvalidateSsoTokenParams) as Promise<InvalidateSsoTokenResult>
     }
 
-    // invalidateStsCredential(tokenId: string) {
-    //     return this.client.sendRequest(invalidateStsCredentialRequestType.method, {
-    //         stsCredentialId: tokenId,
-    //     } satisfies InvalidateStsCredentialParams) as Promise<InvalidateStsCredentialResult>
-    // }
+    invalidateStsCredential(tokenId: string) {
+        return this.client.sendRequest(invalidateStsCredentialRequestType.method, {
+            profileName: tokenId,
+        } satisfies InvalidateStsCredentialParams) as Promise<InvalidateStsCredentialResult>
+    }
 
     registerSsoTokenChangedHandler(ssoTokenChangedHandler: (params: SsoTokenChangedParams) => any) {
         this.client.onNotification(ssoTokenChangedRequestType.method, ssoTokenChangedHandler)
     }
 
-    // registerStsCredentialChangedHandler(stsCredentialChangedHandler: (params: StsCredentialChangedParams) => any) {
-    //     this.client.onNotification(stsCredentialChangedRequestType.method, stsCredentialChangedHandler)
-    // }
+    registerStsCredentialChangedHandler(stsCredentialChangedHandler: (params: StsCredentialChangedParams) => any) {
+        this.client.onNotification(stsCredentialChangedRequestType.method, stsCredentialChangedHandler)
+    }
 
     registerCacheWatcher(cacheChangedHandler: (event: cacheChangedEvent) => any) {
         this.cacheWatcher.onDidCreate(() => cacheChangedHandler('create'))
         this.cacheWatcher.onDidDelete(() => cacheChangedHandler('delete'))
     }
+
+    registerStsCacheWatcher(stsCacheChangedHandler: (event: stsCacheChangedEvent) => any) {
+        this.stsCacheWatcher.onDidCreate(() => stsCacheChangedHandler('create'))
+        this.stsCacheWatcher.onDidDelete(() => stsCacheChangedHandler('delete'))
+    }
 }
 
 /**
@@ -286,7 +300,7 @@ export abstract class BaseLogin {
     protected loginType: LoginType | undefined
     protected connectionState: AuthState = 'notConnected'
     protected cancellationToken: CancellationTokenSource | undefined
-    protected _data: { startUrl?: string; region?: string; accessKey?: string; secretKey?: string } | undefined
+    protected _data: { startUrl?: string; region?: string; accessKey?: string; secretKey?: string; sessionToken?: string } | undefined
 
     constructor(
         public readonly profileName: string,
@@ -504,16 +518,16 @@ export class SsoLogin extends BaseLogin {
 export class IamLogin extends BaseLogin {
     // Cached information from the identity server for easy reference
     override readonly loginType = LoginTypes.IAM
-    // private iamCredentialId: string | undefined
+    private iamCredentialId: string | undefined
 
     constructor(profileName: string, lspAuth: LanguageClientAuth, eventEmitter: vscode.EventEmitter<AuthStateEvent>) {
         super(profileName, lspAuth, eventEmitter)
-        // lspAuth.registerStsCredentialChangedHandler((params: StsCredentialChangedParams) =>
-        //     this.stsCredentialChangedHandler(params)
-        // )
+        lspAuth.registerStsCredentialChangedHandler((params: StsCredentialChangedParams) =>
+            this.stsCredentialChangedHandler(params)
+        )
     }
 
-    async login(opts: { accessKey: string; secretKey: string }) {
+    async login(opts: { accessKey: string; secretKey: string, sessionToken?: string, roleArn?: string }) {
         await this.updateProfile(opts)
         return this._getIamCredential(true)
     }
@@ -526,36 +540,30 @@ export class IamLogin extends BaseLogin {
     }
 
     async logout() {
-        // if (this.iamCredentialId) {
-        //     await this.lspAuth.invalidateIamCredential(this.iamCredentialId)
-        // }
+        if (this.iamCredentialId) {
+            await this.lspAuth.invalidateStsCredential(this.iamCredentialId)
+        }
         await this.lspAuth.updateIamProfile(this.profileName, '', '', '', '', '')
         await this.lspAuth.updateIamProfile(this.profileName + '-source', '', '', '', '', '')
         this.updateConnectionState('notConnected')
         this._data = undefined
         // TODO: DeleteProfile api in Identity Service (this doesn't exist yet)
     }
 
-    async updateProfile(opts: { accessKey: string; secretKey: string }) {
-        await this.lspAuth.updateIamProfile(this.profileName, opts.accessKey, opts.secretKey)
-        this._data = {
-            accessKey: opts.accessKey,
-            secretKey: opts.secretKey,
+    async updateProfile(opts: { accessKey: string; secretKey: string, sessionToken?: string, roleArn?: string }) {
+        if (opts.roleArn) {
+            const sourceProfile = this.profileName + '-source'
+            await this.lspAuth.updateIamProfile(sourceProfile, opts.accessKey, opts.secretKey, opts.sessionToken, '', '')
+            await this.lspAuth.updateIamProfile(this.profileName, '', '', '', opts.roleArn, sourceProfile)
+        } else {
+            await this.lspAuth.updateIamProfile(this.profileName, opts.accessKey, opts.secretKey, opts.sessionToken, '', '')
         }
     }
 
     /**
      * Restore the connection state and connection details to memory, if they exist.
      */
     async restore() {
-        const sessionData = await this.getProfile()
-        const credentials = sessionData?.profile?.settings
-        if (credentials?.aws_access_key_id && credentials?.aws_secret_access_key) {
-            this._data = {
-                accessKey: credentials.aws_access_key_id,
-                secretKey: credentials.aws_secret_access_key,
-            }
-        }
         try {
             await this._getIamCredential(false)
         } catch (err) {
@@ -595,8 +603,10 @@ export class IamLogin extends BaseLogin {
         } catch (err: any) {
             switch (err.data?.awsErrorCode) {
                 case AwsErrorCodes.E_CANCELLED:
-                case AwsErrorCodes.E_SSO_SESSION_NOT_FOUND:
+                case AwsErrorCodes.E_INVALID_PROFILE:
                 case AwsErrorCodes.E_PROFILE_NOT_FOUND:
+                case AwsErrorCodes.E_CANNOT_CREATE_STS_CREDENTIAL:
+                case AwsErrorCodes.E_INVALID_STS_CREDENTIAL:
                     this.updateConnectionState('notConnected')
                     break
                 default:
@@ -609,19 +619,27 @@ export class IamLogin extends BaseLogin {
             this.cancellationToken = undefined
         }
 
-        // this.iamCredentialId = response.id
+        // Update cached credentials and credential ID
+        if (response.credentials.accessKeyId && response.credentials.secretAccessKey) {
+            this._data = {
+                accessKey: response.credentials.accessKeyId,
+                secretKey: response.credentials.secretAccessKey,
+                sessionToken: response.credentials.sessionToken,
+            }
+            this.iamCredentialId = response.id
+        }
         this.updateConnectionState('connected')
         return response
     }
 
-    // private stsCredentialChangedHandler(params: StsCredentialChangedParams) {
-    //     if (params.stsCredentialId === this.iamCredentialId) {
-    //         if (params.kind === CredentialChangedKind.Expired) {
-    //             this.updateConnectionState('expired')
-    //             return
-    //         } else if (params.kind === CredentialChangedKind.Refreshed) {
-    //             this.eventEmitter.fire({ id: this.profileName, state: 'refreshed' })
-    //         }
-    //     }
-    // }
+    private stsCredentialChangedHandler(params: StsCredentialChangedParams) {
+        if (params.stsCredentialId === this.iamCredentialId) {
+            if (params.kind === StsCredentialChangedKind.Expired) {
+                this.updateConnectionState('expired')
+                return
+            } else if (params.kind === StsCredentialChangedKind.Refreshed) {
+                this.eventEmitter.fire({ id: this.profileName, state: 'refreshed' })
+            }
+        }
+    }
 }

packages/core/src/auth/sso/cache.ts

@@ -36,7 +36,9 @@ export interface SsoCache {
 }
 
 const defaultCacheDir = () => path.join(fs.getUserHomeDir(), '.aws/sso/cache')
+const defaultStsCacheDir = () => path.join(fs.getUserHomeDir(), '.aws/cli/cache')
 export const getCacheDir = () => DevSettings.instance.get('ssoCacheDirectory', defaultCacheDir())
+export const getStsCacheDir = () => DevSettings.instance.get('stsCacheDirectory', defaultStsCacheDir())
 
 export function getCache(directory = getCacheDir()): SsoCache {
     return {