Skip to content

fix(amazonq): Q chat stopped using IAM creds in the Amazon Q v1.63.0 release #7667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 15, 2025
Merged

fix(amazonq): Q chat stopped using IAM creds in the Amazon Q v1.63.0 release #7667

merged 2 commits into from
Jul 15, 2025

Conversation

@floralph
Copy link
Contributor

@floralph floralph commented Jul 14, 2025

Problem

Amazon Q for VSCode fails to authenticate in SageMaker environments after v1.62.0. The extension moved from directly calling the Q service using AWS SDK clients to using the aws-lsp-codewhisperer service (LSP). While the legacy
implementation had specific handling for SageMaker IAM credentials, the new LSP-based implementation only supports SSO token authentication.

The breaking change occurred in commit 938bb37 which enabled three experiment flags by default, moving the extension from the core implementation to the LSP implementation that lacks IAM credential
support.

Solution

This PR adds IAM authentication support to the Amazon Q LSP client for SageMaker environments by:

  1. Setting the USE_IAM_AUTH environment variable when running in SageMaker to signal the language server to use IAM authentication mode
  2. Enhancing the AmazonQLspAuth class to handle both SSO and IAM authentication flows, with proper credential retrieval and encryption
  3. Updating client initialization to indicate IAM credential support when running in SageMaker environments
  4. Adding connection metadata handling for IAM authentication with appropriate fallback values
  5. Implementing early auto-login for SageMaker IAM credentials during LSP activation

The solution maintains backward compatibility with existing SSO authentication while enabling IAM credential support specifically for SageMaker environments, restoring the functionality that was available in the legacy core
implementation.

@floralph floralph requested a review from a team as a code owner July 14, 2025 21:52
@github-actions
Copy link

github-actions bot commented Jul 14, 2025

  • This pull request modifies code in src/* but no tests were added/updated.
    • Confirm whether tests should be added or ensure the PR description explains why tests are not required.
  • This pull request implements a feat or fix, so it must include a changelog entry (unless the fix is for an unreleased feature). Review the changelog guidelines.
    • Note: beta or "experiment" features that have active users should announce fixes in the changelog.
    • If this is not a feature or fix, use an appropriate type from the title guidelines. For example, telemetry-only changes should use the telemetry type.

@floralph floralph changed the title fix: Q chat stopped using IAM creds in the Amazon Q v1.63.0 release fix(amazonq): Q chat stopped using IAM creds in the Amazon Q v1.63.0 release Jul 15, 2025
@floralph floralph closed this Jul 15, 2025
@floralph floralph reopened this Jul 15, 2025
@floralph floralph merged commit 276f9ef into master Jul 15, 2025
65 of 68 checks passed
@floralph floralph deleted the floralph/P261194666 branch July 15, 2025 22:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@yueny2020 yueny2020 yueny2020 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@floralph @yueny2020