Merge branch 'feature/v2-to-v3-migration' into migrate-redshift

Author: ctlai95

package-lock.json

@@ -0,0 +1,4 @@
+{
+	"type": "Bug Fix",
+	"description": "Amazon Q automatically refreshes expired IAM Credentials in Sagemaker instances"
+}

packages/amazonq/.changes/next-release/Bug Fix-da0e805d-faab-4274-b37a-943c7263e42b.json

@@ -17,9 +17,9 @@ import * as crypto from 'crypto'
 import { LanguageClient } from 'vscode-languageclient'
 import { AuthUtil } from 'aws-core-vscode/codewhisperer'
 import { Writable } from 'stream'
-import { onceChanged } from 'aws-core-vscode/utils'
+import { onceChanged, onceChangedWithComparator } from 'aws-core-vscode/utils'
 import { getLogger, oneMinute, isSageMaker } from 'aws-core-vscode/shared'
-import { isSsoConnection, isIamConnection } from 'aws-core-vscode/auth'
+import { isSsoConnection, isIamConnection, areCredentialsEqual } from 'aws-core-vscode/auth'
 
 export const encryptionKey = crypto.randomBytes(32)
 
@@ -108,7 +108,10 @@ export class AmazonQLspAuth {
         this.client.info(`UpdateBearerToken: ${JSON.stringify(request)}`)
     }
 
-    public updateIamCredentials = onceChanged(this._updateIamCredentials.bind(this))
+    public updateIamCredentials = onceChangedWithComparator(
+        this._updateIamCredentials.bind(this),
+        ([prevCreds], [currentCreds]) => areCredentialsEqual(prevCreds, currentCreds)
+    )
     private async _updateIamCredentials(credentials: any) {
         getLogger().info(
             `[SageMaker Debug] Updating IAM credentials - credentials received: ${credentials ? 'YES' : 'NO'}`

packages/amazonq/src/lsp/auth.ts

@@ -581,6 +581,8 @@
         "@aws-sdk/client-ec2": "<3.731.0",
         "@aws-sdk/client-glue": "^3.852.0",
         "@aws-sdk/client-iam": "<3.731.0",
+        "@aws-sdk/client-iot": "~3.693.0",
+        "@aws-sdk/client-iotsecuretunneling": "~3.693.0",
         "@aws-sdk/client-lambda": "<3.731.0",
         "@aws-sdk/client-redshift": "~3.693.0",
         "@aws-sdk/client-redshift-data": "~3.693.0",

packages/core/package.json

@@ -862,6 +862,7 @@ export class Auth implements AuthService, ConnectionManager {
 
     private async createCachedCredentials(provider: CredentialsProvider) {
         const providerId = provider.getCredentialsId()
+        getLogger().debug(`credentials: create cache credentials for ${provider.getProviderType()}`)
         globals.loginManager.store.invalidateCredentials(providerId)
         const { credentials, endpointUrl } = await globals.loginManager.store.upsertCredentials(providerId, provider)
         await globals.loginManager.validateCredentials(credentials, endpointUrl, provider.getDefaultRegion())

packages/core/src/auth/auth.ts

@@ -71,6 +71,18 @@ export const isBuilderIdConnection = (conn?: Connection): conn is SsoConnection
 export const isValidCodeCatalystConnection = (conn?: Connection): conn is SsoConnection =>
     isSsoConnection(conn) && hasScopes(conn, scopesCodeCatalyst)
 
+export const areCredentialsEqual = (creds1: any, creds2: any): boolean => {
+    if (!creds1 || !creds2) {
+        return creds1 === creds2
+    }
+
+    return (
+        creds1.accessKeyId === creds2.accessKeyId &&
+        creds1.secretAccessKey === creds2.secretAccessKey &&
+        creds1.sessionToken === creds2.sessionToken
+    )
+}
+
 export function hasScopes(target: SsoConnection | SsoProfile | string[], scopes: string[]): boolean {
     return scopes?.every((s) => (Array.isArray(target) ? target : target.scopes)?.includes(s))
 }

packages/core/src/auth/connection.ts

@@ -31,11 +31,16 @@ export class CredentialsStore {
      * If the expiration property does not exist, it is assumed to never expire.
      */
     public isValid(key: string): boolean {
+        // Apply 60-second buffer similar to SSO token expiry logic
+        const expirationBufferMs = 60000
+
         if (this.credentialsCache[key]) {
             const expiration = this.credentialsCache[key].credentials.expiration
-            return expiration !== undefined ? expiration >= new globals.clock.Date() : true
+            const now = new globals.clock.Date()
+            const bufferedNow = new globals.clock.Date(now.getTime() + expirationBufferMs)
+            return expiration !== undefined ? expiration >= bufferedNow : true
         }
-
+        getLogger().debug(`credentials: no credentials found for ${key}`)
         return false
     }
 

packages/core/src/auth/credentials/store.ts

@@ -19,6 +19,7 @@ export {
     getTelemetryMetadataForConn,
     isIamConnection,
     isSsoConnection,
+    areCredentialsEqual,
 } from './connection'
 export { Auth } from './auth'
 export { CredentialsStore } from './credentials/store'