fix: misleading "Permission set" warning for OIDC SSO/IdC connection #3748

Problem:
Some IdC/SSO connections have OIDC "scopes" and don't have IAM "roles"
(returning IAM credentials / "Permission sets"). Such connections are
useful for scope-based applications, even though they don't have IAM
credentials.

Solution:
Don't warn about missing roles/permission-sets for connections that have
OIDC scopes.

Author: justinmk3

.changes/next-release/Bug Fix-48264e8c-a8ab-487b-ad5d-d25e49068589.json

@@ -0,0 +1,4 @@
+{
+	"type": "Bug Fix",
+	"description": "IAM Identity Center (SSO): misleading \"Permission set\" warning for scope-based SSO/IdC connection"
+}

src/auth/auth.ts

@@ -223,12 +223,16 @@ export class Auth implements AuthService, ConnectionManager {
 
             const stream = toStream(this.store.listProfiles().map(entry => this.getConnectionFromStoreEntry(entry)))
 
+            /** Decides if SSO service should be queried for "linked" IAM roles/credentials for the given SSO connection. */
             const isLinkable = (
                 entry: [string, StoredProfile<Profile>]
-            ): entry is [string, StoredProfile<SsoProfile>] =>
-                entry[1].type === 'sso' &&
-                hasScopes(entry[1], ssoAccountAccessScopes) &&
-                entry[1].metadata.connectionState === 'valid'
+            ): entry is [string, StoredProfile<SsoProfile>] => {
+                const r =
+                    entry[1].type === 'sso' &&
+                    hasScopes(entry[1], ssoAccountAccessScopes) &&
+                    entry[1].metadata.connectionState === 'valid'
+                return r
+            }
 
             const linked = this.store
                 .listProfiles()
@@ -238,8 +242,8 @@ export class Auth implements AuthService, ConnectionManager {
                         loadLinkedProfilesIntoStore(
                             this.store,
                             id,
-                            this.createSsoClient(profile.ssoRegion, this.getTokenProvider(id, profile)),
-                            profile.startUrl
+                            profile,
+                            this.createSsoClient(profile.ssoRegion, this.getTokenProvider(id, profile))
                         )
                     )
                         .catch(err => {

src/auth/connection.ts

@@ -18,7 +18,6 @@ const warnOnce = onceChanged((s: string, url: string) => {
     showMessageWithUrl(s, url, undefined, 'error')
 })
 
-export const ssoScope = 'sso:account:access'
 export const codecatalystScopes = ['codecatalyst:read_write']
 export const ssoAccountAccessScopes = ['sso:account:access']
 export const codewhispererScopes = ['codewhisperer:completions', 'codewhisperer:analysis']
@@ -256,13 +255,14 @@ export async function loadIamProfilesIntoStore(store: ProfileStore, manager: Cre
 }
 
 /**
- * Fetches profiles from the given SSO ("IAM Identity Center", "IdC") connection.
+ * Gets credentials profiles constructed from roles ("Permission Sets") discovered from the given
+ * SSO ("IAM Identity Center", "IdC") connection.
  */
 export async function* loadLinkedProfilesIntoStore(
     store: ProfileStore,
-    source: SsoConnection['id'],
-    client: SsoClient,
-    startUrl: string
+    sourceId: SsoConnection['id'],
+    ssoProfile: StoredProfile<SsoProfile>,
+    client: SsoClient
 ) {
     const accounts = new Set<string>()
     const found = new Set<Connection['id']>()
@@ -278,7 +278,7 @@ export async function* loadLinkedProfilesIntoStore(
 
     for await (const info of stream) {
         const name = `${info.roleName}-${info.accountId}`
-        const id = `sso:${source}#${name}`
+        const id = `sso:${sourceId}#${name}`
         found.add(id)
 
         if (store.getProfile(id) !== undefined) {
@@ -289,21 +289,21 @@ export async function* loadLinkedProfilesIntoStore(
             name,
             type: 'iam',
             subtype: 'linked',
-            ssoSession: source,
+            ssoSession: sourceId,
             ssoRoleName: info.roleName,
             ssoAccountId: info.accountId,
         })
 
         yield [id, profile] as const
     }
 
-    const isBuilderId = startUrl === builderIdStartUrl // Special case.
-    if (!isBuilderId && (accounts.size === 0 || found.size === 0)) {
-        const name = truncateStartUrl(startUrl)
-        // Possible causes:
-        // - SSO org has no "Permission sets"
+    /** Does `ssoProfile` have scopes other than "sso:account:access"? */
+    const hasScopes = !!ssoProfile.scopes?.some(s => !ssoAccountAccessScopes.includes(s))
+    if (!hasScopes && (accounts.size === 0 || found.size === 0)) {
+        // SSO user has no OIDC scopes nor IAM roles. Possible causes:
         // - user is not an "Assigned user" in any account in the SSO org
-        // - user is an "Assigned user" but no "Permission sets"
+        // - SSO org has no "Permission sets"
+        const name = truncateStartUrl(ssoProfile.startUrl)
         if (accounts.size === 0) {
             getLogger().warn('auth: SSO org (%s) returned no accounts', name)
         } else if (found.size === 0) {
@@ -317,7 +317,12 @@ export async function* loadLinkedProfilesIntoStore(
 
     // Clean-up stale references in case the user no longer has access
     for (const [id, profile] of store.listProfiles()) {
-        if (profile.type === 'iam' && profile.subtype === 'linked' && profile.ssoSession === source && !found.has(id)) {
+        if (
+            profile.type === 'iam' &&
+            profile.subtype === 'linked' &&
+            profile.ssoSession === sourceId &&
+            !found.has(id)
+        ) {
             await store.deleteProfile(id)
         }
     }

src/auth/providers/sharedCredentialsProvider.ts

@@ -31,7 +31,7 @@ import {
 } from '../credentials/sharedCredentials'
 import { builderIdStartUrl } from '../sso/model'
 import { SectionName, SharedCredentialsKeys } from '../credentials/types'
-import { SsoProfile, hasScopes } from '../connection'
+import { SsoProfile, hasScopes, ssoAccountAccessScopes } from '../connection'
 
 const credentialSources = {
     ECS_CONTAINER: 'EcsContainer',
@@ -150,7 +150,7 @@ export class SharedCredentialsProvider implements CredentialsProvider {
 
             return {
                 type: 'sso',
-                scopes: ['sso:account:access'],
+                scopes: ssoAccountAccessScopes,
                 startUrl: this.profile[SharedCredentialsKeys.SSO_START_URL],
                 ssoRegion: this.profile[SharedCredentialsKeys.SSO_REGION] ?? defaultRegion,
             }
@@ -348,7 +348,7 @@ export class SharedCredentialsProvider implements CredentialsProvider {
 
     private makeSsoCredentaislProvider() {
         const ssoProfile = this.getSsoProfileFromProfile()
-        if (!hasScopes(ssoProfile, ['sso:account:access'])) {
+        if (!hasScopes(ssoProfile, ssoAccountAccessScopes)) {
             throw new Error(`Session for "${this.profileName}" is missing required scope: sso:account:access`)
         }