fix(toolkit): correctly use the endpoint URL for the selected profile

aws#2007

The Toolkit doesn't read the endpoint configured in an AWS profile
config.

The endpoint even before these changes is already being read from the
AWS config file, and it's included in the CredentialsProvider object,
but there wasn't a way to retrieve that. We're adding `getEndpointUrl()`
method to the different providers, and then we're retrieving that
endpoint in:
1. when loading the current profile, to add it to the credentialsCache
(`auth.ts -> createCachedCredentials()`, `loginManager.ts -> login()`).
Because of this, then we can get this endpoint alongside the credentials
when creating a new AWS client.
2. when creating the list of connections that then will be displayed for
the user to pick (`packages/core/src/auth/auth.ts ->
getIamConnection()`) (this required to make `getIamConnection` an async

Author: valerena

packages/core/src/auth/auth.ts

@@ -215,7 +215,7 @@ export class Auth implements AuthService, ConnectionManager {
             const provider = await this.getCredentialsProvider(id, profile)
             await this.authenticate(id, () => this.createCachedCredentials(provider), shouldInvalidate)
 
-            return this.getIamConnection(id, profile)
+            return await this.getIamConnection(id, profile)
         }
     }
 
@@ -253,7 +253,8 @@ export class Auth implements AuthService, ConnectionManager {
         if (profile === undefined) {
             throw new Error(`Connection does not exist: ${id}`)
         }
-        const conn = profile.type === 'sso' ? this.getSsoConnection(id, profile) : this.getIamConnection(id, profile)
+        const conn =
+            profile.type === 'sso' ? this.getSsoConnection(id, profile) : await this.getIamConnection(id, profile)
 
         this.#activeConnection = conn
         this.#onDidChangeActiveConnection.fire(conn)
@@ -705,7 +706,7 @@ export class Auth implements AuthService, ConnectionManager {
         if (profile.type === 'sso') {
             return this.getSsoConnection(id, profile)
         } else {
-            return this.getIamConnection(id, profile)
+            return await this.getIamConnection(id, profile)
         }
     }
 
@@ -805,17 +806,21 @@ export class Auth implements AuthService, ConnectionManager {
         )
     }
 
-    private getIamConnection(
+    private async getIamConnection(
         id: Connection['id'],
         profile: StoredProfile<IamProfile>
-    ): IamConnection & StatefulConnection {
+    ): Promise<IamConnection & StatefulConnection> {
+        // Get the provider to extract the endpoint URL
+        const provider = await this.getCredentialsProvider(id, profile)
+        const endpointUrl = provider.getEndpointUrl?.()
         return {
             id,
             type: 'iam',
             state: profile.metadata.connectionState,
             label:
                 profile.metadata.label ?? (profile.type === 'iam' && profile.subtype === 'linked' ? profile.name : id),
             getCredentials: async () => this.getCredentials(id, await this.getCredentialsProvider(id, profile)),
+            endpointUrl,
         }
     }
 
@@ -832,6 +837,8 @@ export class Auth implements AuthService, ConnectionManager {
             label: profile.metadata?.label ?? this.getSsoProfileLabel(profile),
             getToken: () => this.getToken(id, provider),
             getRegistration: () => provider.getClientRegistration(),
+            // SsoConnection is managed internally in the AWS Toolkit, so the endpointUrl can't be configured
+            endpointUrl: undefined,
         }
     }
 
@@ -856,8 +863,8 @@ export class Auth implements AuthService, ConnectionManager {
     private async createCachedCredentials(provider: CredentialsProvider) {
         const providerId = provider.getCredentialsId()
         globals.loginManager.store.invalidateCredentials(providerId)
-        const { credentials } = await globals.loginManager.store.upsertCredentials(providerId, provider)
-        await globals.loginManager.validateCredentials(credentials, provider.getDefaultRegion())
+        const { credentials, endpointUrl } = await globals.loginManager.store.upsertCredentials(providerId, provider)
+        await globals.loginManager.validateCredentials(credentials, endpointUrl, provider.getDefaultRegion())
 
         return credentials
     }

packages/core/src/auth/connection.ts

@@ -111,6 +111,7 @@ export function createSsoProfile(
 export interface SsoConnection extends SsoProfile {
     readonly id: string
     readonly label: string
+    readonly endpointUrl: string | undefined
 
     /**
      * Retrieves a bearer token, refreshing or re-authenticating as-needed.
@@ -129,6 +130,7 @@ export interface IamConnection {
     // This may change in the future after refactoring legacy implementations
     readonly id: string
     readonly label: string
+    readonly endpointUrl: string | undefined
     getCredentials(): Promise<Credentials>
 }
 

packages/core/src/auth/credentials/store.ts

@@ -12,6 +12,7 @@ import { CredentialsProviderManager } from '../providers/credentialsProviderMana
 export interface CachedCredentials {
     credentials: AWS.Credentials
     credentialsHashCode: string
+    endpointUrl?: string
 }
 
 /**
@@ -92,6 +93,7 @@ export class CredentialsStore {
         const credentials = {
             credentials: await credentialsProvider.getCredentials(),
             credentialsHashCode: credentialsProvider.getHashCode(),
+            endpointUrl: credentialsProvider.getEndpointUrl?.(),
         }
 
         this.credentialsCache[asString(credentialsId)] = credentials

packages/core/src/auth/credentials/types.ts

@@ -12,6 +12,7 @@ export const SharedCredentialsKeys = {
     AWS_SESSION_TOKEN: 'aws_session_token',
     CREDENTIAL_PROCESS: 'credential_process',
     CREDENTIAL_SOURCE: 'credential_source',
+    ENDPOINT_URL: 'endpoint_url',
     REGION: 'region',
     ROLE_ARN: 'role_arn',
     SOURCE_PROFILE: 'source_profile',

packages/core/src/auth/credentials/utils.ts

@@ -21,7 +21,7 @@ import { isValidResponse } from '../../shared/wizards/wizard'
 const credentialsTimeout = 300000 // 5 minutes
 const credentialsProgressDelay = 1000
 
-export function asEnvironmentVariables(credentials: Credentials): NodeJS.ProcessEnv {
+export function asEnvironmentVariables(credentials: Credentials, endpointUrl?: string): NodeJS.ProcessEnv {
     const environmentVariables: NodeJS.ProcessEnv = {}
 
     environmentVariables.AWS_ACCESS_KEY = credentials.accessKeyId
@@ -30,6 +30,9 @@ export function asEnvironmentVariables(credentials: Credentials): NodeJS.Process
     environmentVariables.AWS_SECRET_ACCESS_KEY = credentials.secretAccessKey
     environmentVariables.AWS_SESSION_TOKEN = credentials.sessionToken
     environmentVariables.AWS_SECURITY_TOKEN = credentials.sessionToken
+    if (endpointUrl !== undefined) {
+        environmentVariables.AWS_ENDPOINT_URL = endpointUrl
+    }
 
     return environmentVariables
 }

packages/core/src/auth/deprecated/loginManager.ts

@@ -65,19 +65,19 @@ export class LoginManager {
 
         try {
             provider = await getProvider(args.providerId)
-
-            const credentials = (await this.store.upsertCredentials(args.providerId, provider))?.credentials
+            const { credentials, endpointUrl } = await this.store.upsertCredentials(args.providerId, provider)
             if (!credentials) {
                 throw new Error(`No credentials found for id ${asString(args.providerId)}`)
             }
 
-            const accountId = await this.validateCredentials(credentials, provider.getDefaultRegion())
+            const accountId = await this.validateCredentials(credentials, endpointUrl, provider.getDefaultRegion())
             this.awsContext.credentialsShim = createCredentialsShim(this.store, args.providerId, credentials)
             await this.awsContext.setCredentials({
                 credentials,
                 accountId: accountId,
                 credentialsId: asString(args.providerId),
                 defaultRegion: provider.getDefaultRegion(),
+                endpointUrl: provider.getEndpointUrl?.(),
             })
 
             telemetryResult = 'Succeeded'
@@ -111,8 +111,12 @@ export class LoginManager {
         }
     }
 
-    public async validateCredentials(credentials: Credentials, region = this.defaultCredentialsRegion) {
-        const stsClient = new DefaultStsClient(region, credentials)
+    public async validateCredentials(
+        credentials: Credentials,
+        endpointUrl?: string,
+        region = this.defaultCredentialsRegion
+    ) {
+        const stsClient = new DefaultStsClient(region, credentials, endpointUrl)
         const accountId = (await stsClient.getCallerIdentity()).Account
         if (!accountId) {
             throw new Error('Could not determine Account Id for credentials')

packages/core/src/auth/providers/credentials.ts

@@ -112,6 +112,10 @@ export interface CredentialsProvider {
      */
     getTelemetryType(): CredentialType
     getDefaultRegion(): string | undefined
+    /**
+     * Gets the endpoint URL configured for this profile, if any.
+     */
+    getEndpointUrl?(): string | undefined
     getHashCode(): string
     getCredentials(): Promise<AWS.Credentials>
     /**

packages/core/src/auth/providers/envVarsCredentialsProvider.ts

@@ -61,4 +61,9 @@ export class EnvVarsCredentialsProvider implements CredentialsProvider {
         }
         return this.credentials
     }
+
+    public getEndpointUrl(): string | undefined {
+        const env = process.env as EnvironmentVariables
+        return env.AWS_ENDPOINT_URL?.toString()
+    }
 }

packages/core/src/auth/providers/sharedCredentialsProvider.ts

@@ -105,6 +105,10 @@ export class SharedCredentialsProvider implements CredentialsProvider {
         return this.profile[SharedCredentialsKeys.REGION]
     }
 
+    public getEndpointUrl(): string | undefined {
+        return this.profile[SharedCredentialsKeys.ENDPOINT_URL]?.trim()
+    }
+
     public async canAutoConnect(): Promise<boolean> {
         if (isSsoProfile(this.profile)) {
             const tokenProvider = SsoAccessTokenProvider.create({

packages/core/src/auth/providers/ssoCredentialsProvider.ts

@@ -61,4 +61,9 @@ export class SsoCredentialsProvider implements CredentialsProvider {
     private async hasToken() {
         return (await this.tokenProvider.getToken()) !== undefined
     }
+
+    // SsoCredentials are managed internally in the AWS Toolkit, so the endpointUrl can't be configured
+    public getEndpointUrl(): undefined {
+        return undefined
+    }
 }