aws · yuxianrz · Jun 5, 2025 · Jun 6, 2025 · Jun 9, 2025 · Jun 10, 2025
@@ -16,4 +16,4 @@
     "settings": {
         "typescript.tsdk": "node_modules/typescript/lib",
     },
-}
+}
@@ -13,7 +13,7 @@
             "args": ["--extensionDevelopmentPath=${workspaceFolder}"],
             "env": {
                 "SSMDOCUMENT_LANGUAGESERVER_PORT": "6010",
-                "WEBPACK_DEVELOPER_SERVER": "http://localhost:8080"
+                "WEBPACK_DEVELOPER_SERVER": "http://localhost:8080",
                 // Below allows for overrides used during development
                 // "__AMAZONQLSP_PATH": "${workspaceFolder}/../../../language-servers/app/aws-lsp-codewhisperer-runtimes/out/agent-standalone.js",
                 // "__AMAZONQLSP_UI": "${workspaceFolder}/../../../language-servers/chat-client/build/amazonq-ui.js"

@@ -100,8 +100,8 @@ async function activateAmazonQNode(context: vscode.ExtensionContext) {
 async function getAuthState(): Promise<Omit<AuthUserState, 'source'>> {
     const state = AuthUtil.instance.getAuthState()
 
-    if (AuthUtil.instance.isConnected() && !(AuthUtil.instance.isSsoSession() || isSageMaker())) {
-        getLogger().error('Current Amazon Q connection is not SSO')
+    if (AuthUtil.instance.isConnected() && !(AuthUtil.instance.isSsoSession() || AuthUtil.instance.isIamSession() || isSageMaker())) {
+        getLogger().error('Current Amazon Q connection is not SSO nor IAM')
     }
 
     return {

@@ -143,7 +143,7 @@ export class InlineChatProvider {
     private async generateResponse(
         triggerPayload: TriggerPayload & { projectContextQueryLatencyMs?: number },
         triggerID: string
-    ) {
+    ): Promise<GenerateAssistantResponseCommandOutput | undefined> {
         const triggerEvent = this.triggerEventsStorage.getTriggerEvent(triggerID)
         if (triggerEvent === undefined) {
             return
@@ -182,7 +182,18 @@ export class InlineChatProvider {
         let response: GenerateAssistantResponseCommandOutput | undefined = undefined
         session.createNewTokenSource()
         try {
-            response = await session.chatSso(request)
+            if (AuthUtil.instance.isSsoSession()) {
+                response = await session.chatSso(request)
+            } else {
+                // Call sendMessage because Q Developer Streaming Client does not have generateAssistantResponse
+                const { sendMessageResponse, ...rest } = await session.chatIam(request)
+                // Convert sendMessageCommandOutput to GenerateAssistantResponseCommandOutput
+                response = {
+                    generateAssistantResponseResponse: sendMessageResponse,
+                    conversationId: session.sessionIdentifier,
+                    ...rest
+                }
+            }
             getLogger().info(
                 `response to tab: ${tabID} conversationID: ${session.sessionIdentifier} requestID: ${response.$metadata.requestId} metadata: %O`,
                 response.$metadata

@@ -164,6 +164,9 @@ export async function startLanguageServer(
             },
             credentials: {
                 providesBearerToken: true,
+                // Add IAM credentials support
+                providesIamCredentials: true,
+                supportsAssumeRole: true,
             },
         },
         /**
@@ -211,9 +214,10 @@ export async function startLanguageServer(
 
         /** All must be setup before {@link AuthUtil.restore} otherwise they may not trigger when expected */
         AuthUtil.instance.regionProfileManager.onDidChangeRegionProfile(async () => {
+            const activeProfile = AuthUtil.instance.regionProfileManager.activeRegionProfile
             void pushConfigUpdate(client, {
                 type: 'profile',
-                profileArn: AuthUtil.instance.regionProfileManager.activeRegionProfile?.arn,
+                profileArn: activeProfile?.arn,
             })
         })
 
@@ -286,6 +290,11 @@ async function postStartLanguageServer(
             sso: {
                 startUrl: AuthUtil.instance.connection?.startUrl,
             },
+            // Add IAM credentials metadata
+            iam: {
+                region: AuthUtil.instance.connection?.region,
+                accesskey: AuthUtil.instance.connection?.accessKey,
+            },
         }
     })
 

@@ -22,5 +22,5 @@ export async function loginToIdC() {
         )
     }
 
-    await AuthUtil.instance.login(startUrl, region)
+    await AuthUtil.instance.login_sso(startUrl, region)
 }
@@ -26,11 +26,11 @@ describe('RegionProfileManager', async function () {
 
     async function setupConnection(type: 'builderId' | 'idc') {
         if (type === 'builderId') {
-            await AuthUtil.instance.login(constants.builderIdStartUrl, region)
+            await AuthUtil.instance.login_sso(constants.builderIdStartUrl, region)
             assert.ok(AuthUtil.instance.isSsoSession())
             assert.ok(AuthUtil.instance.isBuilderIdConnection())
         } else if (type === 'idc') {
-            await AuthUtil.instance.login(enterpriseSsoStartUrl, region)
+            await AuthUtil.instance.login_sso(enterpriseSsoStartUrl, region)
             assert.ok(AuthUtil.instance.isSsoSession())
             assert.ok(AuthUtil.instance.isIdcConnection())
         }

@@ -26,19 +26,19 @@ describe('AuthUtil', async function () {
 
     describe('Auth state', function () {
         it('login with BuilderId', async function () {
-            await auth.login(constants.builderIdStartUrl, constants.builderIdRegion)
+            await auth.login_sso(constants.builderIdStartUrl, constants.builderIdRegion)
             assert.ok(auth.isConnected())
             assert.ok(auth.isBuilderIdConnection())
         })
 
         it('login with IDC', async function () {
-            await auth.login('https://example.awsapps.com/start', 'us-east-1')
+            await auth.login_sso('https://example.awsapps.com/start', 'us-east-1')
             assert.ok(auth.isConnected())
             assert.ok(auth.isIdcConnection())
         })
 
         it('identifies internal users', async function () {
-            await auth.login(constants.internalStartUrl, 'us-east-1')
+            await auth.login_sso(constants.internalStartUrl, 'us-east-1')
             assert.ok(auth.isInternalAmazonUser())
         })
 
@@ -55,7 +55,7 @@ describe('AuthUtil', async function () {
 
     describe('Token management', function () {
         it('can get token when connected with SSO', async function () {
-            await auth.login(constants.builderIdStartUrl, constants.builderIdRegion)
+            await auth.login_sso(constants.builderIdStartUrl, constants.builderIdRegion)
             const token = await auth.getToken()
             assert.ok(token)
         })
@@ -68,14 +68,14 @@ describe('AuthUtil', async function () {
 
     describe('getTelemetryMetadata', function () {
         it('returns valid metadata for BuilderId connection', async function () {
-            await auth.login(constants.builderIdStartUrl, constants.builderIdRegion)
+            await auth.login_sso(constants.builderIdStartUrl, constants.builderIdRegion)
             const metadata = await auth.getTelemetryMetadata()
             assert.strictEqual(metadata.credentialSourceId, 'awsId')
             assert.strictEqual(metadata.credentialStartUrl, constants.builderIdStartUrl)
         })
 
         it('returns valid metadata for IDC connection', async function () {
-            await auth.login('https://example.awsapps.com/start', 'us-east-1')
+            await auth.login_sso('https://example.awsapps.com/start', 'us-east-1')
             const metadata = await auth.getTelemetryMetadata()
             assert.strictEqual(metadata.credentialSourceId, 'iamIdentityCenter')
             assert.strictEqual(metadata.credentialStartUrl, 'https://example.awsapps.com/start')
@@ -96,37 +96,38 @@ describe('AuthUtil', async function () {
         })
 
         it('returns BuilderId forms when using BuilderId', async function () {
-            await auth.login(constants.builderIdStartUrl, constants.builderIdRegion)
+            await auth.login_sso(constants.builderIdStartUrl, constants.builderIdRegion)
             const forms = await auth.getAuthFormIds()
             assert.deepStrictEqual(forms, ['builderIdCodeWhisperer'])
         })
 
         it('returns IDC forms when using IDC without SSO account access', async function () {
             const session = (auth as any).session
-            sinon.stub(session, 'getProfile').resolves({
+            session && sinon.stub(session, 'getProfile').resolves({
                 ssoSession: {
                     settings: {
                         sso_registration_scopes: ['codewhisperer:*'],
                     },
                 },
             })
 
-            await auth.login('https://example.awsapps.com/start', 'us-east-1')
+            await auth.login_sso('https://example.awsapps.com/start', 'us-east-1')
             const forms = await auth.getAuthFormIds()
             assert.deepStrictEqual(forms, ['identityCenterCodeWhisperer'])
         })
 
         it('returns IDC forms with explorer when using IDC with SSO account access', async function () {
+            await auth.login_sso('https://example.awsapps.com/start', 'us-east-1')
             const session = (auth as any).session
-            sinon.stub(session, 'getProfile').resolves({
+
+            session && sinon.stub(session, 'getProfile').resolves({
                 ssoSession: {
                     settings: {
                         sso_registration_scopes: ['codewhisperer:*', 'sso:account:access'],
                     },
                 },
             })
 
-            await auth.login('https://example.awsapps.com/start', 'us-east-1')
             const forms = await auth.getAuthFormIds()
             assert.deepStrictEqual(forms.sort(), ['identityCenterCodeWhisperer', 'identityCenterExplorer'].sort())
         })
@@ -178,7 +179,7 @@ describe('AuthUtil', async function () {
         })
 
         it('updates bearer token when state is refreshed', async function () {
-            await auth.login(constants.builderIdStartUrl, 'us-east-1')
+            await auth.login_sso(constants.builderIdStartUrl, 'us-east-1')
 
             await (auth as any).stateChangeHandler({ state: 'refreshed' })
 
@@ -187,7 +188,7 @@ describe('AuthUtil', async function () {
         })
 
         it('cleans up when connection expires', async function () {
-            await auth.login(constants.builderIdStartUrl, 'us-east-1')
+            await auth.login_sso(constants.builderIdStartUrl, 'us-east-1')
 
             await (auth as any).stateChangeHandler({ state: 'expired' })
 
@@ -197,13 +198,15 @@ describe('AuthUtil', async function () {
         it('deletes bearer token when disconnected', async function () {
             await (auth as any).stateChangeHandler({ state: 'notConnected' })
 
-            assert.ok(mockLspAuth.deleteBearerToken.called)
+            if (auth.isSsoSession(auth.session)){
+                assert.ok(mockLspAuth.deleteBearerToken.called)
+            }
         })
 
         it('updates bearer token and restores profile on reconnection', async function () {
             const restoreProfileSelectionSpy = sinon.spy(regionProfileManager, 'restoreProfileSelection')
 
-            await auth.login('https://example.awsapps.com/start', 'us-east-1')
+            await auth.login_sso('https://example.awsapps.com/start', 'us-east-1')
 
             await (auth as any).stateChangeHandler({ state: 'connected' })
 
@@ -215,7 +218,7 @@ describe('AuthUtil', async function () {
             const invalidateProfileSpy = sinon.spy(regionProfileManager, 'invalidateProfile')
             const clearCacheSpy = sinon.spy(regionProfileManager, 'clearCache')
 
-            await auth.login('https://example.awsapps.com/start', 'us-east-1')
+            await auth.login_sso('https://example.awsapps.com/start', 'us-east-1')
 
             await (auth as any).stateChangeHandler({ state: 'expired' })
 
@@ -280,12 +283,16 @@ describe('AuthUtil', async function () {
             await auth.migrateSsoConnectionToLsp('test-client')
 
             assert.ok(memento.update.calledWith('auth.profiles', undefined))
-            assert.ok(!auth.session.updateProfile?.called)
+            assert.ok(!auth.session?.updateProfile?.called)
         })
 
         it('proceeds with migration if LSP token check throws', async function () {
             memento.get.returns({ profile1: validProfile })
             mockLspAuth.getSsoToken.rejects(new Error('Token check failed'))
+
+            if (!(auth as any).session){
+                auth.session = new auth2.SsoLogin(auth.profileName, auth.lspAuth, auth.eventEmitter)
+            }
             const updateProfileStub = sinon.stub((auth as any).session, 'updateProfile').resolves()
 
             await auth.migrateSsoConnectionToLsp('test-client')
@@ -297,22 +304,24 @@ describe('AuthUtil', async function () {
         it('migrates valid SSO connection', async function () {
             memento.get.returns({ profile1: validProfile })
 
-            const updateProfileStub = sinon.stub((auth as any).session, 'updateProfile').resolves()
+            if ((auth as any).session) {
+                const updateProfileStub = sinon.stub((auth as any).session, 'updateProfile').resolves()
 
-            await auth.migrateSsoConnectionToLsp('test-client')
+                await auth.migrateSsoConnectionToLsp('test-client')
 
-            assert.ok(updateProfileStub.calledOnce)
-            assert.ok(memento.update.calledWith('auth.profiles', undefined))
+                assert.ok(updateProfileStub.calledOnce)
+                assert.ok(memento.update.calledWith('auth.profiles', undefined))
 
-            const files = await fs.readdir(cacheDir)
-            assert.strictEqual(files.length, 2) // Should have both the token and registration file
-
-            // Verify file contents were preserved
-            const newFiles = files.map((f) => path.join(cacheDir, f[0]))
-            for (const file of newFiles) {
-                const content = await fs.readFileText(file)
-                const parsed = JSON.parse(content)
-                assert.ok(parsed.test === 'registration' || parsed.test === 'token')
+                const files = await fs.readdir(cacheDir)
+                assert.strictEqual(files.length, 2) // Should have both the token and registration file
+
+                // Verify file contents were preserved
+                const newFiles = files.map((f) => path.join(cacheDir, f[0]))
+                for (const file of newFiles) {
+                    const content = await fs.readFileText(file)
+                    const parsed = JSON.parse(content)
+                    assert.ok(parsed.test === 'registration' || parsed.test === 'token')
+                }
             }
         })
 
@@ -351,6 +360,10 @@ describe('AuthUtil', async function () {
             }
             memento.get.returns(mockProfiles)
 
+            if (!(auth as any).session){
+                auth.session = new auth2.SsoLogin(auth.profileName, auth.lspAuth, auth.eventEmitter)
+            }
+
             const updateProfileStub = sinon.stub((auth as any).session, 'updateProfile').resolves()
 
             await auth.migrateSsoConnectionToLsp('test-client')
@@ -376,6 +389,10 @@ describe('AuthUtil', async function () {
             }
             memento.get.returns(mockProfiles)
 
+            if (!(auth as any).session){
+                auth.session = new auth2.SsoLogin(auth.profileName, auth.lspAuth, auth.eventEmitter)
+            }
+
             const updateProfileStub = sinon.stub((auth as any).session, 'updateProfile').resolves()
 
             await auth.migrateSsoConnectionToLsp('test-client')

@@ -28,7 +28,7 @@ describe('showConnectionPrompt', function () {
     })
 
     it('can select connect to AwsBuilderId', async function () {
-        sinon.stub(AuthUtil.instance, 'login').resolves()
+        sinon.stub(AuthUtil.instance, 'login_sso').resolves()
 
         getTestWindow().onDidShowQuickPick(async (picker) => {
             await picker.untilReady()
@@ -44,7 +44,7 @@ describe('showConnectionPrompt', function () {
 
     it('connectToAwsBuilderId calls AuthUtil login with builderIdStartUrl', async function () {
         sinon.stub(vscode.commands, 'executeCommand')
-        const loginStub = sinon.stub(AuthUtil.instance, 'login').resolves()
+        const loginStub = sinon.stub(AuthUtil.instance, 'login_sso').resolves()
 
         await awsIdSignIn()
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,4 +16,4 @@ @@
         "settings": {
             "typescript.tsdk": "node_modules/typescript/lib",
         },
-    }
+    }