refactor: sync types with IAM authentication changes (#626)

liramon1 · web-flow · commit 844b206e4c98 · 2025-07-29T10:13:58.000-07:00
## Problem The IAM type changes are behind the changes in aws/language-servers#1869 and aws/language-servers#1846. As a result, the language-servers PRs are unable to compile. ## Solution This is part of #572. - Rename validatePermissions to permissionSets and make it accept a list of permissions instead of validating only 1 set of permissions - Wrap credentials from getIamCredentialResult into an intermediate object - Add credentials override and additional error codes to getIamCredentials - Add mfaSerial to GetMfaSerialResult and optionalize it in GetMfaSerialParams  ## License By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/runtimes/protocol/identity-management.ts b/runtimes/protocol/identity-management.ts
@@ -37,12 +37,35 @@ export const AwsErrorCodes = {
     E_SSO_TOKEN_EXPIRED: 'E_SSO_TOKEN_EXPIRED',
     E_STS_CREDENTIAL_EXPIRED: 'E_STS_CREDENTIAL_EXPIRED',
     E_SSO_TOKEN_SOURCE_NOT_SUPPORTED: 'E_SSO_TOKEN_SOURCE_NOT_SUPPORTED',
+    E_CALLER_IDENTITY_NOT_FOUND: 'E_CALLER_IDENTITY_NOT_FOUND',
     E_MFA_REQUIRED: 'E_MFA_REQUIRED',
+    E_PERMISSION_DENIED: 'E_PERMISSION_DENIED',
     E_TIMEOUT: 'E_TIMEOUT',
     E_UNKNOWN: 'E_UNKNOWN',
     E_CANCELLED: 'E_CANCELLED',
 } as const
 
+// Permissions
+export const PermissionSets = {
+    Q: [
+        'q:StartConversation',
+        'q:SendMessage',
+        'q:GetConversation',
+        'q:ListConversations',
+        'q:UpdateConversation',
+        'q:DeleteConversation',
+        'q:PassRequest',
+        'q:StartTroubleshootingAnalysis',
+        'q:StartTroubleshootingResolutionExplanation',
+        'q:GetTroubleshootingResults',
+        'q:UpdateTroubleshootingCommandResult',
+        'q:GetIdentityMetaData',
+        'q:GenerateCodeFromCommands',
+        'q:UsePlugin',
+        'codewhisperer:GenerateRecommendations',
+    ],
+}
+
 export interface AwsResponseErrorData {
     awsErrorCode: string
 }
@@ -253,22 +276,29 @@ export type IamCredentialId = string // Opaque identifier
 
 export interface GetIamCredentialOptions {
     callStsOnInvalidIamCredential?: boolean
-    validatePermissions?: boolean
+    permissionSet?: string[]
+    credentialOverride?: IamCredentials
 }
 
 export const getIamCredentialOptionsDefaults = {
     callStsOnInvalidIamCredential: true,
-    validatePermissions: true,
+    permissionSet: PermissionSets.Q,
+    credentialOverride: undefined,
 } satisfies GetIamCredentialOptions
 
 export interface GetIamCredentialParams {
     profileName: string
     options?: GetIamCredentialOptions
 }
 
-export interface GetIamCredentialResult {
+export interface IamCredential {
     id: IamCredentialId
+    kinds: ProfileKind[]
     credentials: IamCredentials
+}
+
+export interface GetIamCredentialResult {
+    credential: IamCredential
     updateCredentialsParams: UpdateCredentialsParams
 }
 
@@ -282,12 +312,13 @@ export const getIamCredentialRequestType = new ProtocolRequestType<
 
 // getMfaCode
 export interface GetMfaCodeParams {
-    mfaSerial: string
     profileName: string
+    mfaSerial?: string
 }
 
 export interface GetMfaCodeResult {
     code: string
+    mfaSerial: string
 }
 
 export const getMfaCodeRequestType = new ProtocolRequestType<
@@ -318,7 +349,7 @@ export const invalidateSsoTokenRequestType = new ProtocolRequestType<
 
 // invalidateStsCredential
 export interface InvalidateStsCredentialParams {
-    profileName: string
+    iamCredentialId: IamCredentialId
 }
 
 export interface InvalidateStsCredentialResult {
diff --git a/runtimes/runtimes/auth/standalone/encryption.ts b/runtimes/runtimes/auth/standalone/encryption.ts
@@ -124,11 +124,11 @@ export async function encryptIamResultWithKey(
     request: GetIamCredentialResult,
     key: string
 ): Promise<GetIamCredentialResult> {
-    request.credentials = {
-        accessKeyId: await encryptObjectWithKey(request.credentials.accessKeyId, key),
-        secretAccessKey: await encryptObjectWithKey(request.credentials.secretAccessKey, key),
-        ...(request.credentials.sessionToken
-            ? { sessionToken: await encryptObjectWithKey(request.credentials.sessionToken, key) }
+    request.credential.credentials = {
+        accessKeyId: await encryptObjectWithKey(request.credential.credentials.accessKeyId, key),
+        secretAccessKey: await encryptObjectWithKey(request.credential.credentials.secretAccessKey, key),
+        ...(request.credential.credentials.sessionToken
+            ? { sessionToken: await encryptObjectWithKey(request.credential.credentials.sessionToken, key) }
             : {}),
     }
     if (!request.updateCredentialsParams.encrypted) {
