feat(auth): add IAM credentials LSP requests to AuthUtils and auth2 #7507

liramon1 · 2025-06-17T19:08:52Z

Problem

The authentication flow does not make requests to IAM credentials endpoints on Flare and does not provide places for clients to input long-term IAM credentials or STS credentials.

Solution

Add IAM and STS credentials options to LanguageClientAuth requests
Add IAM credentials option and form to webview
Modify AuthUtils to switch between SsoLogin and IamLogin strategies
Modify clients to support IAM and STS credentials
Add IAM and STS credentials unit tests

This feature is split into multiple PRs (in order):

Meanwhile, we are making changes to language-servers and language-server-runtimes such that authentication for IAM credentials can happen on Flare side.

Tests will work with this version of language-server-runtimes:
https://github.com/liramon1/language-server-runtimes/tree/feature/flare-iam

and this version of language-servers:
https://github.com/liramon1/language-servers/tree/liramon/flare-iam

Please reference these when reviewing our work

License

I confirm that my contribution is made under the terms of the Apache 2.0 license.

…/flare-iam

github-actions · 2025-06-17T19:10:37Z

This pull request implements a feat or fix, so it must include a changelog entry (unless the fix is for an unreleased feature). Review the changelog guidelines.
- Note: beta or "experiment" features that have active users should announce fixes in the changelog.
- If this is not a feature or fix, use an appropriate type from the title guidelines. For example, telemetry-only changes should use the telemetry type.

…ck in

#7659) ## Problem The webview does not support IAM credentials input and endpoint to LSP does not support IAM credentials and IAM profiles. ## Solution This is part of #7507. - Add IAM credentials option and form to webview - Modify AuthUtils to switch between SsoLogin and IamLogin strategies - Add startIamCredentialSetup in backend_amazonq Meanwhile, we are making changes to language-servers and language-server-runtimes such that authentication for IAM credentials can happen on Flare side. working branches: https://github.com/liramon1/language-server-runtimes/tree/feature/flare-iam https://github.com/liramon1/language-servers/tree/liramon/flare-iam Current PR built upon flare-mega branch and is working to merge with flare-mega branch. This PR fails a web test that flare-mega branch is also failing, at the same place. --- - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.

… autofill access key id (#7797) ## Problem UI and error message no longer compatible after adding IAM credentials authflow IAM Access Key needs manual input every time a client log in ## Solution This is part of #7507 and is built on top of #7659. --- - License: I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Ramon Li <[email protected]>

…scode into feature/flare-iam

## Problem The webview does not support STS credentials input (sessionToken and roleArn) and endpoint to LSP does not support STS credentials and profiles. ## Solution This is part of #7507 and is built on top of #7797. - Add STS credentials input box webview, enabling mfa verification if credentials has assume role with mfa permission - Modify AuthUtils and auth2.ts to accommodate new IAM profile type - Add stsCache and other sts handlers to connect to LSP --- - License: I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Ramon Li <[email protected]>

liramon1 and others added 10 commits June 5, 2025 17:24

Add webviews for Amazon Q IAM credentials option and form

ab47a46

Implement IAM setup function

eeebd0b

Make AuthUtils session switch between SsoLogin, IamLogin, and undefined

61c1138

Start implementing IamLogin class

146a95f

Remove iamSessions from profiles

eb0be34

Implement updateIamProfile and change STS references to IAM

a241b1c

Implement _getIamCredential and its callers

e923bad

fix(amazonq): delete iam profile when logout

2dabb43

start modifying auth2 consumers

ff181f4

Merge remote-tracking branch 'origin/feature/flare-mega' into feature…

f61bcee

…/flare-iam

liramon1 assigned liramon1 and yuxianrz Jun 17, 2025

liramon1 and others added 17 commits June 17, 2025 16:08

undo unnecessary changes

eb3526a

undo more unnecessary changes

849006b

fix logout bug

1968d41

Fix bug where profile failed to be retrieved after signing out and ba…

06c5ad8

…ck in

Fix region profile selector not triggering

60ffc92

Add support for IAM credentials to region profile manager

e1cfdc3

feat: remember iam access key

422d085

Revert unnecessary region profile changes

424a1af

Add limited IAM support for inline chat

9dbe490

Revert CredentialChangedKind for backwards compatibility

f044eb6

fix: fix missing autofill after disabling extension

7506ecc

Re-add session restore for IAM

ce07bd2

Add session token input to login flow

4d2b8b0

Add session tokens to auth2 logic

5830716

Replace profile deletion with iam invalidation

ef3745b

Rename loginOnInvalidToken

1ec8508

Rename getIamCredential options

0382876

yuxianrz and others added 10 commits July 23, 2025 14:56

fix emitIamClick according to new auth_signInOptionClcik

dfcc0b0

add credentialType to iam telemetry metadata and fix emitIamClick

ef56385

send telemetry when attempts to use inline chat with IAM auth

1b28bf8

change login_sso and login_iam, fix auth2.ts

c4acf81

fix incorrect connection message

9826566

feat: enable mfa serial input in pop up window

0948746

fix: wrong prompt for mfa serial input

af80c9d

fix: debug telemetry

6989096

Move MFA handler to auth2

88eb779

Move auth2 encryption to LanguageClientAuth

b51ea11

yuxianrz mentioned this pull request Aug 1, 2025

fix(auth): fix UI and error message bug, disable inline chat for IAM, autofill access key id #7797

Merged

yuxianrz marked this pull request as draft August 1, 2025 18:17

fix: unit tests

fd4a20a

yuxianrz mentioned this pull request Aug 4, 2025

feat(auth): add STS credential management and mfa verification #7811

Merged

liramon1 and others added 9 commits August 4, 2025 14:16

Fix type checks for AuthUtil sessions

0de5068

Decrypt listProfiles result

9f68b4a

fix authUtil test

4218174

Fix SSO migration from production auth

c6a4ab3

Merge branch 'feature/flare-iam' of github.com:liramon1/aws-toolkit-v…

04af37e

…scode into feature/flare-iam

Revert package.json change

26139e8

Move IAM profile options into typed object

a79939a

Remove STS cache watcher

7c8d60f

fix authUtil tests and description for getMfaSerial

e7d9798

Add credentials process input

fcc4285

liramon1 force-pushed the feature/flare-iam branch from 9ac2a3d to fcc4285 Compare August 6, 2025 19:19

sync IAM input labels with mega

512dc87

liramon1 closed this Aug 7, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(auth): add IAM credentials LSP requests to AuthUtils and auth2 #7507

feat(auth): add IAM credentials LSP requests to AuthUtils and auth2 #7507

Uh oh!

liramon1 commented Jun 17, 2025 •

edited by yuxianrz

Loading

Uh oh!

github-actions bot commented Jun 17, 2025

Uh oh!

Uh oh!

feat(auth): add IAM credentials LSP requests to AuthUtils and auth2 #7507

feat(auth): add IAM credentials LSP requests to AuthUtils and auth2 #7507

Uh oh!

Conversation

liramon1 commented Jun 17, 2025 • edited by yuxianrz Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Problem

Solution

License

Uh oh!

github-actions bot commented Jun 17, 2025

Uh oh!

Uh oh!

liramon1 commented Jun 17, 2025 •

edited by yuxianrz

Loading