Add support for IAM credentials to region profile manager

Author: liramon1

packages/amazonq/test/unit/codewhisperer/region/regionProfileManager.test.ts

@@ -62,7 +62,7 @@ describe('RegionProfileManager', async function () {
             const mockClient = {
                 listAvailableProfiles: listProfilesStub,
             }
-            const createClientStub = sinon.stub(regionProfileManager, '_createQClient').resolves(mockClient)
+            const createClientStub = sinon.stub(regionProfileManager, '_createQUserClient').resolves(mockClient)
 
             const profileList = await regionProfileManager.listRegionProfile()
 
@@ -272,11 +272,11 @@ describe('RegionProfileManager', async function () {
         })
     })
 
-    describe('createQClient', function () {
+    describe('createQUserClient', function () {
         it(`should configure the endpoint and region from a profile`, async function () {
             await setupConnection('idc')
 
-            const iadClient = await regionProfileManager.createQClient({
+            const iadClient = await regionProfileManager.createQUserClient({
                 name: 'foo',
                 region: 'us-east-1',
                 arn: 'arn',
@@ -286,7 +286,7 @@ describe('RegionProfileManager', async function () {
             assert.deepStrictEqual(iadClient.config.region, 'us-east-1')
             assert.deepStrictEqual(iadClient.endpoint.href, 'https://q.us-east-1.amazonaws.com/')
 
-            const fraClient = await regionProfileManager.createQClient({
+            const fraClient = await regionProfileManager.createQUserClient({
                 name: 'bar',
                 region: 'eu-central-1',
                 arn: 'arn',
@@ -302,7 +302,7 @@ describe('RegionProfileManager', async function () {
 
             await assert.rejects(
                 async () => {
-                    await regionProfileManager.createQClient({
+                    await regionProfileManager.createQUserClient({
                         name: 'foo',
                         region: 'ap-east-1',
                         arn: 'arn',
@@ -314,7 +314,7 @@ describe('RegionProfileManager', async function () {
 
             await assert.rejects(
                 async () => {
-                    await regionProfileManager.createQClient({
+                    await regionProfileManager.createQUserClient({
                         name: 'foo',
                         region: 'unknown-somewhere',
                         arn: 'arn',
@@ -330,7 +330,7 @@ describe('RegionProfileManager', async function () {
             await regionProfileManager.switchRegionProfile(profileFoo, 'user')
             assert.deepStrictEqual(regionProfileManager.activeRegionProfile, profileFoo)
 
-            const client = await regionProfileManager._createQClient('eu-central-1', 'https://amazon.com/')
+            const client = await regionProfileManager._createQUserClient('eu-central-1', 'https://amazon.com/')
 
             assert.deepStrictEqual(client.config.region, 'eu-central-1')
             assert.deepStrictEqual(client.endpoint.href, 'https://amazon.com/')

packages/core/src/codewhisperer/region/regionProfileManager.ts

@@ -11,6 +11,7 @@ import { showConfirmationMessage } from '../../shared/utilities/messages'
 import globals from '../../shared/extensionGlobals'
 import { once } from '../../shared/utilities/functionUtils'
 import CodeWhispererUserClient from '../client/codewhispereruserclient'
+import CodeWhispererClient from '../client/codewhispererclient'
 import { Credentials, Service } from 'aws-sdk'
 import { ServiceOptions } from '../../shared/awsClientBuilder'
 import userApiConfig = require('../client/user-service-2.json')
@@ -152,30 +153,63 @@ export class RegionProfileManager {
         const failedRegions: string[] = []
 
         for (const [region, endpoint] of endpoints.entries()) {
-            const client = await this._createQClient(region, endpoint)
-            const requester = async (request: CodeWhispererUserClient.ListAvailableProfilesRequest) =>
-                client.listAvailableProfiles(request).promise()
-            const request: CodeWhispererUserClient.ListAvailableProfilesRequest = {}
             try {
-                const profiles = await pageableToCollection(requester, request, 'nextToken', 'profiles')
-                    .flatten()
-                    .promise()
-                const mappedPfs = profiles.map((it) => {
-                    let accntId = ''
-                    try {
-                        accntId = parse(it.arn).accountId
-                    } catch (e) {}
-
-                    return {
-                        name: it.profileName,
-                        region: region,
-                        arn: it.arn,
-                        description: accntId,
+                // Get region profiles (Q developer profiles) from Q client and authenticate with SSO token
+                if (this.authProvider.isIdcConnection()) {
+                    const client = await this._createQUserClient(region, endpoint)
+                    const requester = async (request: CodeWhispererUserClient.ListAvailableProfilesRequest) => {
+                        return client.listAvailableProfiles(request).promise()
                     }
-                })
+                    const request: CodeWhispererUserClient.ListAvailableProfilesRequest = {}
+                    const profiles = await pageableToCollection(requester, request, 'nextToken', 'profiles')
+                        .flatten()
+                        .promise()
+                    const mappedPfs = profiles.map((it) => {
+                        let accntId = ''
+                        try {
+                            accntId = parse(it.arn).accountId
+                        } catch (e) {}
+
+                        return {
+                            name: it.profileName,
+                            region: region,
+                            arn: it.arn,
+                            description: accntId,
+                        }
+                    })
 
-                availableProfiles.push(...mappedPfs)
-                RegionProfileManager.logger.debug(`Found ${mappedPfs.length} profiles in region ${region}`)
+                    availableProfiles.push(...mappedPfs)
+                    RegionProfileManager.logger.debug(`Found ${mappedPfs.length} profiles in region ${region}`)
+                }
+                // Get region profiles (Q developer profiles) from Q client and authenticate with IAM credentials
+                else if (this.authProvider.isIamSession()) {
+                    const client = await this._createQServiceClient(region, endpoint)
+                    const requester = async (request: CodeWhispererClient.ListProfilesRequest) => {
+                        return client.listProfiles(request).promise()
+                    }
+                    const request: CodeWhispererClient.ListProfilesRequest = {}
+                    const profiles = await pageableToCollection(requester, request, 'nextToken', 'profiles')
+                        .flatten()
+                        .promise()
+                    const mappedPfs = profiles.map((it) => {
+                        let accntId = ''
+                        try {
+                            accntId = parse(it.arn).accountId
+                        } catch (e) {}
+
+                        return {
+                            name: it.profileName,
+                            region: region,
+                            arn: it.arn,
+                            description: accntId,
+                        }
+                    })
+
+                    availableProfiles.push(...mappedPfs)
+                    RegionProfileManager.logger.debug(`Found ${mappedPfs.length} profiles in region ${region}`)
+                } else {
+                    throw new ToolkitError('Failed to list profiles when signed out of identity center and IAM credentials')
+                }
             } catch (e) {
                 const logMsg = isAwsError(e) ? `requestId=${e.requestId}; message=${e.message}` : (e as Error).message
                 RegionProfileManager.logger.error(`Failed to list profiles for region ${region}: ${logMsg}`)
@@ -201,7 +235,7 @@ export class RegionProfileManager {
     }
 
     async switchRegionProfile(regionProfile: RegionProfile | undefined, source: ProfileSwitchIntent) {
-        if (!this.authProvider.isConnected() || !this.authProvider.isIdcConnection()) {
+        if (!this.authProvider.isConnected()) {
             return
         }
 
@@ -413,55 +447,72 @@ export class RegionProfileManager {
     }
 
     // TODO: Should maintain sdk client in a better way
-    async createQClient(profile: RegionProfile): Promise<CodeWhispererUserClient> {
+    // Create a Q user client compatible with SSO tokens
+    async createQUserClient(profile: RegionProfile): Promise<CodeWhispererUserClient> {
         if (!this.authProvider.isConnected()) {
             throw new Error('No valid connection')
         }
         const endpoint = endpoints.get(profile.region)
         if (!endpoint) {
             throw new Error(`trying to initiatize Q client with unrecognizable region ${profile.region}`)
         }
-        return this._createQClient(profile.region, endpoint)
+        return this._createQUserClient(profile.region, endpoint)
     }
 
-    // Visible for testing only, do not use this directly, please use createQClient(profile)
-    async _createQClient(region: string, endpoint: string): Promise<CodeWhispererUserClient> {
-        let serviceOption: ServiceOptions = {}
-        if (this.authProvider.isSsoSession()) {
-            const token = await this.authProvider.getToken()
-            serviceOption = {
-                apiConfig: userApiConfig,
-                region: region,
-                endpoint: endpoint,
-                credentials: new Credentials({ accessKeyId: 'xxx', secretAccessKey: 'xxx' }),
-                onRequestSetup: [
-                    (req) => {
-                        req.on('build', ({ httpRequest }) => {
-                            httpRequest.headers['Authorization'] = `Bearer ${token}`
-                        })
-                    },
-                ],
-            } as ServiceOptions
-        } else if (this.authProvider.isIamSession()) {
-            const credential = await this.authProvider.getIamCredential()
-            serviceOption = {
-                apiConfig: apiConfig,
-                region: region,
-                endpoint: endpoint,
-                credentials: new Credentials({
-                    accessKeyId: credential.accessKeyId,
-                    secretAccessKey: credential.secretAccessKey,
-                    sessionToken: credential.sessionToken,
-                }),
-            } as ServiceOptions
+    // Create a Q service client compatible with IAM credentials
+    async createQServiceClient(profile: RegionProfile): Promise<CodeWhispererClient> {
+        if (!this.authProvider.isConnected()) {
+            throw new Error('No valid connection')
         }
+        const endpoint = endpoints.get(profile.region)
+        if (!endpoint) {
+            throw new Error(`trying to initiatize Q client with unrecognizable region ${profile.region}`)
+        }
+        return this._createQServiceClient(profile.region, endpoint)
+    }
 
-        const c = (await globals.sdkClientBuilder.createAwsService(
+    // Visible for testing only, do not use this directly, please use createQUserClient(profile)
+    async _createQUserClient(region: string, endpoint: string): Promise<CodeWhispererUserClient> {
+        const token = await this.authProvider.getToken()
+        const serviceOption: ServiceOptions = {
+            apiConfig: userApiConfig,
+            region: region,
+            endpoint: endpoint,
+            credentials: new Credentials({ accessKeyId: 'xxx', secretAccessKey: 'xxx' }),
+            onRequestSetup: [
+                (req) => {
+                    req.on('build', ({ httpRequest }) => {
+                        httpRequest.headers['Authorization'] = `Bearer ${token}`
+                    })
+                },
+            ],
+        } as ServiceOptions
+        
+        return (await globals.sdkClientBuilder.createAwsService(
             Service,
             serviceOption,
             undefined
         )) as CodeWhispererUserClient
+    }
 
-        return c
+    // Visible for testing only, do not use this directly, please use createQServiceClient(profile)
+    async _createQServiceClient(region: string, endpoint: string): Promise<CodeWhispererClient> {
+        const credential = await this.authProvider.getIamCredential()
+        const serviceOption: ServiceOptions = {
+            apiConfig: apiConfig,
+            region: region,
+            endpoint: endpoint,
+            credentials: new Credentials({
+                accessKeyId: credential.accessKeyId,
+                secretAccessKey: credential.secretAccessKey,
+                sessionToken: credential.sessionToken,
+            }),
+        } as ServiceOptions
+
+        return (await globals.sdkClientBuilder.createAwsService(
+            Service,
+            serviceOption,
+            undefined
+        )) as CodeWhispererClient
     }
 }

packages/core/src/codewhisperer/util/authUtil.ts

@@ -192,20 +192,29 @@ export class AuthUtil implements IAuthProvider {
     }
 
     logout() {
+        // session will be nullified the next time refreshState() is called
         return this.session?.logout()
     }
 
     async getToken() {
         if (this.isSsoSession()) {
-            return (await (this.session as SsoLogin).getCredential()).credential
+            const token = (await this.session!.getCredential()).credential
+            if (typeof token !== 'string') {
+                throw new ToolkitError('Cannot get token with IAM session')
+            }
+            return token
         } else {
             throw new ToolkitError('Cannot get credential without logging in.')
         }
     }
 
     async getIamCredential() {
         if (this.session) {
-            return (await (this.session as IamLogin).getCredential()).credential
+            const credential = (await this.session.getCredential()).credential
+            if (typeof credential !== 'object') {
+                throw new ToolkitError('Cannot get token with SSO session')
+            }
+            return credential
         } else {
             throw new ToolkitError('Cannot get credential without logging in.')
         }

packages/core/src/codewhisperer/util/customizationUtil.ts

@@ -49,7 +49,7 @@ export class CustomizationProvider {
     }
 
     static async init(profile: RegionProfile): Promise<CustomizationProvider> {
-        const client = await AuthUtil.instance.regionProfileManager.createQClient(profile)
+        const client = await AuthUtil.instance.regionProfileManager.createQUserClient(profile)
         return new CustomizationProvider(client, profile)
     }
 }

packages/core/src/login/webview/vue/amazonq/backend_amazonq.ts

@@ -174,10 +174,6 @@ export class AmazonQLoginWebview extends CommonAuthWebview {
 
     @withTelemetryContext({ name: 'signout', class: className })
     override async signout(): Promise<void> {
-        if (!AuthUtil.instance.isSsoSession()) {
-            throw new ToolkitError(`Cannot signout non-SSO connection`)
-        }
-
         this.storeMetricMetadata({
             authEnabledFeatures: 'codewhisperer',
             isReAuth: true,

packages/core/src/test/amazonq/customizationUtil.test.ts

@@ -43,7 +43,7 @@ describe('customizationProvider', function () {
             regionProfileManager: regionProfileManager,
         }
         sinon.stub(AuthUtil, 'instance').get(() => mockAuthUtil)
-        const createClientStub = sinon.stub(regionProfileManager, 'createQClient')
+        const createClientStub = sinon.stub(regionProfileManager, 'createQUserClient')
         const mockProfile = {
             name: 'foo',
             region: 'us-east-1',