diff --git a/runtimes/protocol/identity-management.ts b/runtimes/protocol/identity-management.ts index a6c6613e..69f93bc5 100644 --- a/runtimes/protocol/identity-management.ts +++ b/runtimes/protocol/identity-management.ts @@ -37,12 +37,35 @@ export const AwsErrorCodes = { E_SSO_TOKEN_EXPIRED: 'E_SSO_TOKEN_EXPIRED', E_STS_CREDENTIAL_EXPIRED: 'E_STS_CREDENTIAL_EXPIRED', E_SSO_TOKEN_SOURCE_NOT_SUPPORTED: 'E_SSO_TOKEN_SOURCE_NOT_SUPPORTED', + E_CALLER_IDENTITY_NOT_FOUND: 'E_CALLER_IDENTITY_NOT_FOUND', E_MFA_REQUIRED: 'E_MFA_REQUIRED', + E_PERMISSION_DENIED: 'E_PERMISSION_DENIED', E_TIMEOUT: 'E_TIMEOUT', E_UNKNOWN: 'E_UNKNOWN', E_CANCELLED: 'E_CANCELLED', } as const +// Permissions +export const PermissionSets = { + Q: [ + 'q:StartConversation', + 'q:SendMessage', + 'q:GetConversation', + 'q:ListConversations', + 'q:UpdateConversation', + 'q:DeleteConversation', + 'q:PassRequest', + 'q:StartTroubleshootingAnalysis', + 'q:StartTroubleshootingResolutionExplanation', + 'q:GetTroubleshootingResults', + 'q:UpdateTroubleshootingCommandResult', + 'q:GetIdentityMetaData', + 'q:GenerateCodeFromCommands', + 'q:UsePlugin', + 'codewhisperer:GenerateRecommendations', + ], +} + export interface AwsResponseErrorData { awsErrorCode: string } @@ -253,12 +276,14 @@ export type IamCredentialId = string // Opaque identifier export interface GetIamCredentialOptions { callStsOnInvalidIamCredential?: boolean - validatePermissions?: boolean + permissionSet?: string[] + credentialOverride?: IamCredentials } export const getIamCredentialOptionsDefaults = { callStsOnInvalidIamCredential: true, - validatePermissions: true, + permissionSet: PermissionSets.Q, + credentialOverride: undefined, } satisfies GetIamCredentialOptions export interface GetIamCredentialParams { @@ -266,9 +291,14 @@ export interface GetIamCredentialParams { options?: GetIamCredentialOptions } -export interface GetIamCredentialResult { +export interface IamCredential { id: IamCredentialId + kinds: ProfileKind[] credentials: IamCredentials +} + +export interface GetIamCredentialResult { + credential: IamCredential updateCredentialsParams: UpdateCredentialsParams } @@ -282,12 +312,13 @@ export const getIamCredentialRequestType = new ProtocolRequestType< // getMfaCode export interface GetMfaCodeParams { - mfaSerial: string profileName: string + mfaSerial?: string } export interface GetMfaCodeResult { code: string + mfaSerial: string } export const getMfaCodeRequestType = new ProtocolRequestType< @@ -318,7 +349,7 @@ export const invalidateSsoTokenRequestType = new ProtocolRequestType< // invalidateStsCredential export interface InvalidateStsCredentialParams { - profileName: string + iamCredentialId: IamCredentialId } export interface InvalidateStsCredentialResult { diff --git a/runtimes/runtimes/auth/standalone/encryption.ts b/runtimes/runtimes/auth/standalone/encryption.ts index 4f9dbb5b..f5f3475b 100644 --- a/runtimes/runtimes/auth/standalone/encryption.ts +++ b/runtimes/runtimes/auth/standalone/encryption.ts @@ -124,11 +124,11 @@ export async function encryptIamResultWithKey( request: GetIamCredentialResult, key: string ): Promise { - request.credentials = { - accessKeyId: await encryptObjectWithKey(request.credentials.accessKeyId, key), - secretAccessKey: await encryptObjectWithKey(request.credentials.secretAccessKey, key), - ...(request.credentials.sessionToken - ? { sessionToken: await encryptObjectWithKey(request.credentials.sessionToken, key) } + request.credential.credentials = { + accessKeyId: await encryptObjectWithKey(request.credential.credentials.accessKeyId, key), + secretAccessKey: await encryptObjectWithKey(request.credential.credentials.secretAccessKey, key), + ...(request.credential.credentials.sessionToken + ? { sessionToken: await encryptObjectWithKey(request.credential.credentials.sessionToken, key) } : {}), } if (!request.updateCredentialsParams.encrypted) {