Merge master into feature/ui-e2e-tests #8426
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Problem AWS Toolkit needs to support console session credentials to enable new AWS CLI console authentication features which requires `fromLoginCredentials` from AWS SDK v3.936.0 credential providers. Currently, profiles with `login_session` credentials are not recognized as valid credentials. Learn more: https://aws.amazon.com/about-aws/whats-new/2025/11/console-credentials-aws-cli-sdk-authentication/ ## Solution * Add CONSOLE_SESSION ('login_session') as a supported credential type * Implement credential provider using [AWS SDK fromLoginCredentials](https://www.npmjs.com/package/@aws-sdk/credential-providers#fromLoginCredentials) * Handle initial authentication flow and state transitions * Maintain credential caching and validation This change enables the basic flow of reading and using console session credentials from shared credentials files. **Credential refresh and reauthentication flow** will be implemented in a future PR. <img width="1716" height="1001" alt="console-session-test-profile-show-in-list-connections-and-explorer" src="https://github.com/user-attachments/assets/dcbfa671-50de-4b50-b2fb-329873d6b5f0" /> --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
## Problem Following initial support for console session credentials (#8370), we need the UI/command implementation to enable users to authenticate using the AWS CLI's `aws login` feature. Users currently cannot create and use console session credentials through the Toolkit UI. Reference: https://docs.aws.amazon.com/signin/latest/userguide/command-line-sign-in.html#command-line-sign-in-local-development ## Solution * Add `aws.toolkit.auth.consoleLogin` command * Implement console login flow with browser-based authentication * Add automatic profile activation after successful login ### Note The login flow succeeds and profile is connected. Profile shows as expired/invalid. Follow up work needed in SharedCredentialsProvider to add `validateConnection` and `reauthenticate` logic for console session credentials. <img width="1036" height="753" alt="Show command" src="https://github.com/user-attachments/assets/ca350439-2b13-4baa-bf64-54e6b7bc71db" /> <img width="1035" height="757" alt="Enter profile input" src="https://github.com/user-attachments/assets/7b83a486-7965-44b7-bf70-01372c913fd3" /> <img width="1037" height="750" alt="Select region from prompt" src="https://github.com/user-attachments/assets/9a365388-a19b-4d0f-9c58-37ef0c6e9a84" /> <img width="1203" height="762" alt="Authenticate in the browser" src="https://github.com/user-attachments/assets/e7488be4-5d34-406f-8fcc-7d0bde053db8" /> <img width="1034" height="754" alt="Success activate profile but still shows invalid" src="https://github.com/user-attachments/assets/715f73f0-0cb4-4b41-93ea-9f8c83748af2" /> ### Testing 1. Run `npm run compile` to verify build. 2. Run `npm run package`. Manual verification of end-to-end flow in VSCode 1. Open Command Palette: - Windows/Linux: Press `Ctrl + Shift + P` - macOS: Press `Cmd + Shift + P` 2. Type "login" in the Command Palette 3. Select "AWS: Login with console credentials (Recommended)" from the dropdown --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
## Problem When using console login authentication, credentials can expire or become invalid, requiring users to manually re-authenticate by running 'aws login' again. Reference: https://www.npmjs.com/package/@aws-sdk/credential-providers#fromLoginCredentials <img width="1469" height="791" alt="Screenshot 2025-12-05 at 12 17 08 PM" src="https://github.com/user-attachments/assets/0d6da671-723d-47b3-871c-c9049c60bb67" /> ## Solution - Automatically handle credential refresh when console login credentials become invalid by: 1. Detecting common credential errors from [fromLoginCredentials](https://www.npmjs.com/package/@aws-sdk/credential-providers#fromLoginCredentials) provider: - Session expiration ([aws-sdk-js-v3 code](https://github.com/aws/aws-sdk-js-v3/blob/f9245def44697ffb3b64d55c6e1e58ef9edd7ef4/packages/credential-provider-login/src/LoginCredentialsFetcher.ts#L157)) - Token loading failures ([aws-sdk-js-v3 code](https://github.com/aws/aws-sdk-js-v3/blob/f9245def44697ffb3b64d55c6e1e58ef9edd7ef4/packages/credential-provider-login/src/LoginCredentialsFetcher.ts#L41)) 2. When these errors occur, automatically invoke 'aws.toolkit.auth.consoleLogin' command with the existing profile and region to refresh credentials <img width="1978" height="472" alt="Screenshot 2025-12-05 at 1 06 04 PM" src="https://github.com/user-attachments/assets/3e9a7571-60bd-4873-aec8-370e9c516e76" /> ## Note - Update telemetry to track console login command via authConsoleLoginStarted flag - Other credential errors (insufficient permissions, user credentials changed, etc.) require user intervention to resolve and shouldn't automatically trigger re-authentication --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
…8401) ## Problem Users can use a beginner-friendly interface to authenticate with AWS Console credentials to obtain temporary credentials, especially for new AWS users. This GUI-based offers alternative to `aws login` command-line authentication. Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sign-in.html ## Solution - Add "Console credentials - recommended" option to login webview - Restrict profile name input to alphanumeric, underscore, and hyphen characters (following [profile name pattern](https://github.com/keenwilson/aws-toolkit-vscode/blob/89739bc176c28321f64cd672664014d1ddfed533/packages/core/src/auth/consoleSessionUtils.ts#L48)) - Show "Opening AWS sign-in in your default browser..." during authentication - Redirect to explorer view upon successful sign-in Note: - The UI flow follows the same pattern as IAM credentials setup, with these key differences: - Console credentials form takes profile name and region (optional) - IAM credentials form takes access key and secret key - Different telemetry emitted for credential source ID: - Console credentials: 'consoleCredentials' - IAM credentials: 'sharedCredentials' - Telemetry for credential source ID is tracked via aws/aws-toolkit-common#1108 - AWS CLI returns exit code 255 if browser-based authentication is not completed, this prevents partial/incomplete authentication states - Reuse `fromLoginCredentials` provider instance to prevent multiple credential resolution attempts and maintain consistent refresh behavior at [resolveProviderWithCancel](https://github.com/aws/aws-toolkit-vscode/blob/eb11eb59318ab83a1f609e472eab760ea38201d1/packages/core/src/auth/providers/sharedCredentialsProvider.ts#L256) in sharedCredentialsProvider ## UI Changes - Added "Console credentials - recommended" as first option in login selection <img width="1122" height="633" alt="1-start" src="https://github.com/user-attachments/assets/3d46b1ee-9730-4834-ac64-328a5b92227c" /> - Created profile name input with validation for letters, numbers, - and _ - Made region selection optional with us-east-1 default <img width="1122" height="631" alt="4-console-profile" src="https://github.com/user-attachments/assets/f1acfffb-40b6-4f7e-a87a-96da6b0ff59d" /> - Shows clear guidance during browser authentication flow <img width="1150" height="765" alt="Opening AWS sign-in in your default browser." src="https://github.com/user-attachments/assets/9f04fea4-0980-4eef-9b3f-e5c2caa9fbc5" /> - Attempt to update AWS CLI if the version < 2.32.0 <img width="1086" height="710" alt="Screenshot 2025-12-11 at 4 31 17 PM" src="https://github.com/user-attachments/assets/77cbc5b6-b238-4db1-bc21-d178081bc298" /> ### Known Issue: Windows PATH Environment After AWS CLI Installation When installing or updating AWS CLI v2 through the toolkit on Windows machine within a managed enterprise or workspace environment, the installation may appear successful, but users receive the error: ``` [error] aws.toolkit.auth.consoleLogin: Error: Failed to verify or install AWS CLI [CliInstallFailed] -> Error: Could not verify installed CLIs ``` This typically occurs because the installer successfully places the necessary files in the default directory (`C:\Program Files\Amazon\AWSCLIV2\`), but security policies or user permissions within the workspace prevent the installer from correctly or immediately updating the system's PATH environment variable. The command prompt doesn't know where to look for the `aws.exe` file. You can verify the installation using the full path and contact your IT support to add the installation path (`C:\Program Files\Amazon\AWSCLIV2\`) to the System variables `PATH` environment variable. ```powershell "C:\Program Files\Amazon\AWSCLIV2\aws.exe" --version ``` --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
feat(auth): align text patterns and verify profile after command succeeded
## Problem ## Solution --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: aws-toolkit-automation <[email protected]> Co-authored-by: Keen Wilson <[email protected]> Co-authored-by: Aseem sharma <[email protected]>
## Problem Fixes #8372. Currently, a deploy done using the lambda client will create a new published version of the function without any customer input. This is an issue because a) it is not the expected action for a deploy and b) version creation can take a long time and be expensive for Lambda Managed Instances customers. The cases in which this happened were: 1. Quick deploy through either the popup or the toolkit explorer 2. Direct upload where the user clicks on the node and selects the upload action 3. Remote invoke hot reloading, which will auto deploy code changes. Open to reasons to keep this, but I think that versioning isn't necessary in those cases and can end up being confusing. The original PR that added this was in 2020 (#1269), and based on that PR it seems like the original implementer was testing things out. ## Solution Remove the `Publish: true` field from the `UpdateFunctionCodeCommand`. Now, all deploys are simply updating the code. --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license. Co-authored-by: invictus <[email protected]>
#8414) …nt stale data ## Problem - stack views did not render automatically after visibility change ## Solution - render stack views --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
…redential refresh flow (#8432) ## Problem - Users were blocked when AWS CLI prompted to overwrite an existing console session, with no way to respond from VS Code - Credential refresh flow caused hanging "Getting credentials for profile" progress messages - Extension activation failed with "non-passive metric emitted at startup" error ## Solution <img width="474" height="181" alt="overwrite" src="https://github.com/user-attachments/assets/de836ee0-4821-4b79-9c69-4aa6168974ac" /> - Detect CLI overwrite prompts and show interactive dialog with exact CLI message - Send user's response ("y" or "n") to CLI stdin to proceed or cancel - Invalidate cached credentials after successful login and update connection state without triggering immediate credential fetch - Change telemetry emission from `.run()` to `.emit()` to comply with passive telemetry rules ## Testing - Fresh profile creation - Profile overwrite with user confirmation - User cancellation of overwrite - Credential refresh when session expires --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
fix(auth): Add console session profile overwrite prompt and improve credential refresh flow
…8413) ## Problem The hash algorithm using used to verify downloads is not configurable, make it configurable but default to `sha384` ## Solution --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
…in webview (#8418) ## Problem - Cx will begin to get used to the new console grouping stack events by operation id and expect the same in the IDE ## Solution - group stack events by operation id similar to console --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
## Problem - Hook invocations not visible in stack events ## Solution - show Hook invocations when there is a failure caused by Hook (last column is new and shows conditionally) <img width="1213" height="582" alt="image" src="https://github.com/user-attachments/assets/0e57407d-5fcc-415b-ae2a-e9e39d8d49dc" /> --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
build(amazonq): merge release candidate version rc-20251218
…8438) ## Problem - Signing out did not clear the DZ client, so when user re-tries signing in with corrected region, they cannot access the targeted domain. ## Solution - Dispose smuAuthProvider when signing out, within authProvider dispose, the DZ clients will also be disposed --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Automatic merge failed
Command line hint
To perform the merge from the command line, you could do something like the following (where "origin" is the name of the remote in your local git repo):