feat(auth): detect when connected to non-AWS cloud

And general fixes when connection is to non-AWS endpoints
- Add helper function to identify when connected to LocalStack
- Make LiveTail and DocDB read endpoint URL if exists (they don't
use the generic ClientBuilder)
- Disable S3 virtual-host-style and host prefix for LocalStack
- Disable host prefixes for all services when using LocalStack
- Send telemetry for custom endpoints and for LocalStack connections

Author: valerena

packages/core/src/auth/deprecated/loginManager.ts

@@ -30,10 +30,11 @@ import { isAutomation } from '../../shared/vscode/env'
 import { Credentials } from '@aws-sdk/types'
 import { ToolkitError } from '../../shared/errors'
 import * as localizedText from '../../shared/localizedText'
-import { DefaultStsClient } from '../../shared/clients/stsClient'
+import { DefaultStsClient, type GetCallerIdentityResponse } from '../../shared/clients/stsClient'
 import { findAsync } from '../../shared/utilities/collectionUtils'
 import { telemetry } from '../../shared/telemetry/telemetry'
 import { withTelemetryContext } from '../../shared/telemetry/util'
+import { localStackConnectionHeader, localStackConnectionString } from '../utils'
 
 const loginManagerClassName = 'LoginManager'
 /**
@@ -117,14 +118,34 @@ export class LoginManager {
         region = this.defaultCredentialsRegion
     ) {
         const stsClient = new DefaultStsClient(region, credentials, endpointUrl)
-        const accountId = (await stsClient.getCallerIdentity()).Account
+        const callerIdentity = await stsClient.getCallerIdentity()
+        await this.detectExternalConnection(callerIdentity)
+        // Validate presence of Account Id
+        const accountId = callerIdentity.Account
         if (!accountId) {
+            if (endpointUrl !== undefined) {
+                telemetry.auth_customEndpoint.emit({ source: 'validateCredentials', result: 'Failed' })
+            }
             throw new Error('Could not determine Account Id for credentials')
         }
+        if (endpointUrl !== undefined) {
+            telemetry.auth_customEndpoint.emit({ source: 'validateCredentials', result: 'Succeeded' })
+        }
 
         return accountId
     }
 
+    private async detectExternalConnection(callerIdentity: GetCallerIdentityResponse): Promise<void> {
+        // @ts-ignore
+        const headers = callerIdentity.$response?.httpResponse?.headers
+        if (headers !== undefined && localStackConnectionHeader in headers) {
+            await globals.globalState.update('aws.toolkit.externalConnection', localStackConnectionString)
+            telemetry.auth_localstackEndpoint.emit({ source: 'validateCredentials', result: 'Succeeded' })
+        } else {
+            await globals.globalState.update('aws.toolkit.externalConnection', undefined)
+        }
+    }
+
     /**
      * Removes Credentials from the Toolkit. Essentially the Toolkit becomes "logged out".
      *

packages/core/src/auth/utils.ts

@@ -890,3 +890,12 @@ export async function getAuthType() {
     }
     return authType
 }
+
+export const localStackConnectionHeader = 'x-localstack'
+export const localStackConnectionString = 'localstack'
+
+export function isLocalStackConnection(): boolean {
+    return (
+        globals.globalState.tryGet('aws.toolkit.externalConnection', String, undefined) === localStackConnectionString
+    )
+}

packages/core/src/awsService/cloudWatchLogs/registry/liveTailSession.ts

@@ -6,6 +6,7 @@ import * as vscode from 'vscode'
 import * as AWS from '@aws-sdk/types'
 import {
     CloudWatchLogsClient,
+    type CloudWatchLogsClientConfig,
     StartLiveTailCommand,
     StartLiveTailResponseStream,
 } from '@aws-sdk/client-cloudwatch-logs'
@@ -53,12 +54,17 @@ export class LiveTailSession {
         this._logGroupArn = configuration.logGroupArn
         this.logStreamFilter = configuration.logStreamFilter
         this.logEventFilterPattern = configuration.logEventFilterPattern
+        const cwlClientProps: CloudWatchLogsClientConfig = {
+            credentials: configuration.awsCredentials,
+            region: configuration.region,
+            customUserAgent: getUserAgent(),
+        }
+        const endpointUrl = globals.awsContext.getCredentialEndpointUrl()
+        if (endpointUrl !== undefined) {
+            cwlClientProps.endpoint = endpointUrl
+        }
         this.liveTailClient = {
-            cwlClient: new CloudWatchLogsClient({
-                credentials: configuration.awsCredentials,
-                region: configuration.region,
-                customUserAgent: getUserAgent(),
-            }),
+            cwlClient: new CloudWatchLogsClient(cwlClientProps),
             abortController: new AbortController(),
         }
         this._maxLines = LiveTailSession.settings.get('limit', 10000)

packages/core/src/shared/awsClientBuilder.ts

@@ -10,6 +10,7 @@ import { AwsContext } from './awsContext'
 import { DevSettings } from './settings'
 import { getUserAgent } from './telemetry/util'
 import { telemetry } from './telemetry/telemetry'
+import { isLocalStackConnection } from '../auth/utils'
 
 /** Suppresses a very noisy warning printed by AWS SDK v2, which clutters local debugging output, CI logs, etc. */
 export function disableAwsSdkWarning() {
@@ -146,9 +147,13 @@ export class DefaultAWSClientBuilder implements AWSClientBuilder {
 
         // Get endpoint url from the active profile if there's no endpoint directly passed as a parameter
         const endpointUrl = this.awsContext.getCredentialEndpointUrl()
-        if (opt.endpoint === undefined && endpointUrl !== undefined) {
+        if (!('endpoint' in opt) && endpointUrl !== undefined) {
             opt.endpoint = endpointUrl
         }
+        if (isLocalStackConnection()) {
+            // Disable host prefixes for LocalStack
+            opt.hostPrefixEnabled = false
+        }
         // Then check if there's an endpoint in the dev settings
         if (serviceName) {
             opt.endpoint = settings.get('endpoints', {})[serviceName] ?? opt.endpoint

packages/core/src/shared/awsClientBuilderV3.ts

@@ -31,6 +31,7 @@ import {
     RetryStrategy,
     UserAgent,
 } from '@aws-sdk/types'
+import { S3Client } from '@aws-sdk/client-s3'
 import { FetchHttpHandler } from '@smithy/fetch-http-handler'
 import { HttpResponse, HttpRequest } from '@aws-sdk/protocol-http'
 import { ConfiguredRetryStrategy } from '@smithy/util-retry'
@@ -42,6 +43,7 @@ import { partialClone } from './utilities/collectionUtils'
 import { selectFrom } from './utilities/tsUtils'
 import { once } from './utilities/functionUtils'
 import { isWeb } from './extensionGlobals'
+import { isLocalStackConnection } from '../auth/utils'
 
 export type AwsClientConstructor<C> = new (o: AwsClientOptions) => C
 export type AwsCommandConstructor<CommandInput extends object, Command extends AwsCommand<CommandInput, object>> = new (
@@ -81,6 +83,8 @@ export interface AwsClientOptions {
     retryStrategy: RetryStrategy | RetryStrategyV2
     logger: Logger
     token: TokenIdentity | TokenIdentityProvider
+    forcePathStyle: boolean
+    hostPrefixEnabled: boolean
 }
 
 interface AwsServiceOptions<C extends AwsClient> {
@@ -176,9 +180,20 @@ export class AWSClientBuilderV3 {
         }
         // Get endpoint url from the active profile if there's no endpoint directly passed as a parameter
         const endpointUrl = this.context.getCredentialEndpointUrl()
-        if (opt.endpoint === undefined && endpointUrl !== undefined) {
+        if (!('endpoint' in opt) && endpointUrl !== undefined) {
+            // Because we check that 'endpoint' doesn't exist in `opt`, TS complains when we actually add it
+            // @ts-expect-error TS2339
             opt.endpoint = endpointUrl
         }
+        if (isLocalStackConnection()) {
+            // Disable host prefixes for LocalStack
+            opt.hostPrefixEnabled = false
+            // serviceClient name gets minified, but it's always consistent
+            if (serviceOptions.serviceClient.name === S3Client.name) {
+                // Use path-style S3 URLs for LocalStack
+                opt.forcePathStyle = true
+            }
+        }
         const service = new serviceOptions.serviceClient(opt)
         service.middlewareStack.add(telemetryMiddleware, { step: 'deserialize' })
         service.middlewareStack.add(loggingMiddleware, { step: 'finalizeRequest' })

packages/core/src/shared/clients/docdbClient.ts

@@ -37,11 +37,16 @@ export class DefaultDocumentDBClient {
 
     private async getSdkConfig() {
         const credentials = await globals.awsContext.getCredentials()
-        return {
+        const endpointUrl = globals.awsContext.getCredentialEndpointUrl()
+        const config = {
             customUserAgent: getUserAgent({ includePlatform: true, includeClientId: true }),
             credentials: credentials,
             region: this.regionCode,
         }
+        if (endpointUrl !== undefined) {
+            return { ...config, endpoint: endpointUrl }
+        }
+        return config
     }
 
     public async getClient(): Promise<DocDB.DocDBClient> {

packages/core/src/shared/clients/stsClient.ts

@@ -8,6 +8,7 @@ import { Credentials } from '@aws-sdk/types'
 import globals from '../extensionGlobals'
 import { ClassToInterfaceType } from '../utilities/tsUtils'
 
+export type GetCallerIdentityResponse = STS.GetCallerIdentityResponse
 export type StsClient = ClassToInterfaceType<DefaultStsClient>
 export class DefaultStsClient {
     public constructor(

packages/core/src/shared/globalState.ts

@@ -83,6 +83,8 @@ export type globalKey =
     | 'aws.lambda.remoteDebugSnapshot'
     // List of Domain-Users to show/hide Sagemaker SpaceApps in AWS Explorer.
     | 'aws.sagemaker.selectedDomainUsers'
+    // Name of the connection if it's not to the AWS cloud. Current supported value only 'localstack'
+    | 'aws.toolkit.externalConnection'
 
 /**
  * Extension-local (not visible to other vscode extensions) shared state which persists after IDE

packages/core/src/shared/telemetry/vscodeTelemetry.json

@@ -1191,6 +1191,14 @@
             "name": "appbuilder_lambda2sam",
             "description": "User click Convert a lambda function to SAM project"
         },
+        {
+            "name": "auth_customEndpoint",
+            "description": "User used a custom endpoint"
+        },
+        {
+            "name": "auth_localstackEndpoint",
+            "description": "User used a LocalStack connection"
+        },
         {
             "name": "lambda_remoteDebugStop",
             "description": "user stop remote debugging",