aws · liramon1 · Jul 31, 2025 · Jul 31, 2025
@@ -1,7 +1,7 @@
 import { expect, use } from 'chai'
 import { StubbedInstance, stubInterface } from 'ts-sinon'
 import { ProfileData, ProfileStore } from '../language-server/profiles/profileService'
-import { createStubInstance, restore, SinonStub, stub } from 'sinon'
+import { createStubInstance, restore, SinonSpy, SinonStub, spy, stub } from 'sinon'
 import { CancellationToken, Profile, ProfileKind } from '@aws/language-server-runtimes/protocol'
 import { Logging, Telemetry } from '@aws/language-server-runtimes/server-interface'
 import { IamCredentials, Observability } from '@aws/lsp-core'
@@ -28,6 +28,7 @@ let checkMfaRequiredStub: SinonStub<
     [credentials: IamCredentials, permissions: string[], region?: string | undefined],
     Promise<boolean>
 >
+let provider: SinonSpy
 
 describe('IamProvider', () => {
     beforeEach(() => {
@@ -111,6 +112,16 @@ describe('IamProvider', () => {
             sendGetMfaCode: Promise.resolve({ code: 'mfa-code', mfaSerial: 'mfa-serial' }),
         })
 
+        provider = spy(() => () => {
+            return {
+                accessKeyId: 'provider-access-key',
+                secretAccessKey: 'provider-secret-key',
+                sessionToken: 'provider-session-token',
+                credentialScope: 'provider-credential-scope',
+                accountId: 'provider-account-id',
+            }
+        })
+
         token = stubInterface<CancellationToken>()
 
         defaultParams = {
@@ -121,6 +132,12 @@ describe('IamProvider', () => {
             stsCache: stsCache,
             stsAutoRefresher: stsAutoRefresher,
             handlers: handlers,
+            providers: {
+                fromProcess: provider,
+                fromEnv: provider,
+                fromInstanceMetadata: provider,
+                fromContainerMetadata: provider,
+            },
             token: token,
             observability: observability,
         }
@@ -293,5 +310,79 @@ describe('IamProvider', () => {
             expect(error.message).to.equal('Source profile chain exceeded max length.')
             expect(stsAutoRefresher.watch.calledOnce).to.be.false
         })
+
+        it('Can login with credential process.', async () => {
+            const profile: Profile = {
+                kinds: [ProfileKind.IamCredentialProcessProfile],
+                name: 'process-profile',
+                settings: {
+                    role_arn: 'my-role-arn',
+                    credential_process: 'my-process',
+                },
+            }
+            const actual = await sut.getCredential({ ...defaultParams, profile: profile })
+
+            expect(actual.credentials.accessKeyId).to.equal('provider-access-key')
+            expect(actual.credentials.secretAccessKey).to.equal('provider-secret-key')
+            expect(actual.credentials.sessionToken).to.equal('provider-session-token')
+            expect(provider.calledOnce).to.be.true
+        })
+
+        it('Can assume role with environment variables', async () => {
+            const profile: Profile = {
+                kinds: [ProfileKind.IamCredentialSourceProfile],
+                name: 'env-profile',
+                settings: {
+                    role_arn: 'my-role-arn',
+                    credential_source: 'Environment',
+                },
+            }
+            const actual = await sut.getCredential({ ...defaultParams, profile: profile })
+
+            expect(actual.credentials.accessKeyId).to.equal('role-access-key')
+            expect(actual.credentials.secretAccessKey).to.equal('role-secret-key')
+            expect(actual.credentials.sessionToken).to.equal('role-session-token')
+            expect(actual.credentials.expiration?.toISOString()).to.equal('2024-09-25T18:09:20.455Z')
+            expect(provider.calledOnce).to.be.true
+            expect(stsAutoRefresher.watch.calledOnce).to.be.true
+        })
+
+        it('Can assume role with EC2 metadata', async () => {
+            const profile: Profile = {
+                kinds: [ProfileKind.IamCredentialSourceProfile],
+                name: 'env-profile',
+                settings: {
+                    role_arn: 'my-role-arn',
+                    credential_source: 'Ec2InstanceMetadata',
+                },
+            }
+            const actual = await sut.getCredential({ ...defaultParams, profile: profile })
+
+            expect(actual.credentials.accessKeyId).to.equal('role-access-key')
+            expect(actual.credentials.secretAccessKey).to.equal('role-secret-key')
+            expect(actual.credentials.sessionToken).to.equal('role-session-token')
+            expect(actual.credentials.expiration?.toISOString()).to.equal('2024-09-25T18:09:20.455Z')
+            expect(provider.calledOnce).to.be.true
+            expect(stsAutoRefresher.watch.calledOnce).to.be.true
+        })
+
+        it('Can assume role with ECS metadata', async () => {
+            const profile: Profile = {
+                kinds: [ProfileKind.IamCredentialSourceProfile],
+                name: 'env-profile',
+                settings: {
+                    role_arn: 'my-role-arn',
+                    credential_source: 'EcsContainer',
+                },
+            }
+            const actual = await sut.getCredential({ ...defaultParams, profile: profile })
+
+            expect(actual.credentials.accessKeyId).to.equal('role-access-key')
+            expect(actual.credentials.secretAccessKey).to.equal('role-secret-key')
+            expect(actual.credentials.sessionToken).to.equal('role-session-token')
+            expect(actual.credentials.expiration?.toISOString()).to.equal('2024-09-25T18:09:20.455Z')
+            expect(provider.calledOnce).to.be.true
+            expect(stsAutoRefresher.watch.calledOnce).to.be.true
+        })
     })
 })
@@ -27,8 +27,15 @@ export class IamProvider {
             }
         }
         // Assume the role matching the found ARN
-        else if (params.profile.kinds.includes(ProfileKind.IamSourceProfileProfile)) {
+        else if (
+            params.profile.kinds.includes(ProfileKind.IamSourceProfileProfile) ||
+            params.profile.kinds.includes(ProfileKind.IamCredentialSourceProfile)
+        ) {
             credentials = await this.getAssumedRoleCredential(params)
+        }
+        // Get the credentials from the process output
+        else if (params.profile.kinds.includes(ProfileKind.IamCredentialProcessProfile)) {
+            credentials = await params.providers.fromProcess({ profile: params.profile.name })()
         } else {
             throw new AwsError(
                 'Credentials could not be found for provided profile kind',
@@ -99,6 +106,24 @@ export class IamProvider {
             } else {
                 throw new AwsError('Source profile chain exceeded max length.', AwsErrorCodes.E_INVALID_PROFILE)
             }
+        } else if (params.profile.kinds.includes(ProfileKind.IamCredentialSourceProfile)) {
+            switch (params.profile.settings?.credential_source) {
+                // TODO: test whether EC2 and ECS metadata credentials are retrieved as expected
+                case 'Ec2InstanceMetadata':
+                    parentCredentials = await params.providers.fromInstanceMetadata()()
+                    break
+                case 'EcsContainer':
+                    parentCredentials = await params.providers.fromContainerMetadata()()
+                    break
+                case 'Environment':
+                    parentCredentials = await params.providers.fromEnv()()
+                    break
+                default:
+                    throw new AwsError(
+                        `Unsupported credential source: ${params.profile.settings?.credential_source}`,
+                        AwsErrorCodes.E_INVALID_PROFILE
+                    )
+            }
         } else {
             throw new AwsError('Source credentials not found', AwsErrorCodes.E_INVALID_PROFILE)
         }

@@ -13,6 +13,10 @@ import { AwsError, Observability } from '@aws/lsp-core'
 import { StsCache } from '../sts/cache/stsCache'
 import { StsAutoRefresher } from '../sts/stsAutoRefresher'
 import { ProfileStore } from '../language-server/profiles/profileService'
+import { FromProcessInit } from '@aws-sdk/credential-provider-process'
+import { AwsCredentialIdentityProvider, Provider, RuntimeConfigAwsCredentialIdentityProvider } from '@aws-sdk/types'
+import { InstanceMetadataCredentials, RemoteProviderInit } from '@smithy/credential-provider-imds'
+import { FromEnvInit } from '@aws-sdk/credential-provider-env'
 
 const defaultRegion = 'us-east-1'
 
@@ -84,6 +88,13 @@ function convertToIamArn(arn: string) {
     }
 }
 
+export type CredentialProviders = {
+    fromProcess: (init?: FromProcessInit) => RuntimeConfigAwsCredentialIdentityProvider
+    fromContainerMetadata: (init?: RemoteProviderInit) => AwsCredentialIdentityProvider
+    fromInstanceMetadata: (init?: RemoteProviderInit) => Provider<InstanceMetadataCredentials>
+    fromEnv: (init?: FromEnvInit) => AwsCredentialIdentityProvider
+}
+
 export type SendGetMfaCode = (params: GetMfaCodeParams) => Promise<GetMfaCodeResult>
 export type SendStsCredentialChanged = (params: StsCredentialChangedParams) => void
 
@@ -99,6 +110,7 @@ export type IamFlowParams = {
     stsCache: StsCache
     stsAutoRefresher: StsAutoRefresher
     handlers: IamHandlers
+    providers: CredentialProviders
     token: CancellationToken
     observability: Observability
 }
@@ -34,6 +34,7 @@ let stsAutoRefresher: StubbedInstance<StsAutoRefresher>
 let iamProvider: StubbedInstance<IamProvider>
 let observability: StubbedInstance<Observability>
 let authFlowFn: SinonSpy
+let credentialProvider: SinonSpy
 let validatePermissionsStub: SinonStub<
     [credentials: IamCredentials, permissions: string[], region?: string | undefined],
     Promise<boolean>
@@ -120,6 +121,18 @@ describe('IdentityService', () => {
             } satisfies SSOToken)
         )
 
+        credentialProvider = spy(() => {
+            return () => {
+                return {
+                    accessKeyId: 'provider-access-key',
+                    secretAccessKey: 'provider-secret-key',
+                    sessionToken: 'provider-session-token',
+                    credentialScope: 'provider-credential-scope',
+                    accountId: 'provider-account-id',
+                }
+            }
+        })
+
         observability = stubInterface<Observability>()
         observability.logging = stubInterface<Logging>()
         observability.telemetry = stubInterface<Telemetry>()

@@ -36,6 +36,9 @@ import { AwsError, Observability } from '@aws/lsp-core'
 import { __ServiceException } from '@aws-sdk/client-sso-oidc/dist-types/models/SSOOIDCServiceException'
 import { deviceCodeFlow } from '../sso/deviceCode/deviceCodeFlow'
 import { SSOToken } from '@smithy/shared-ini-file-loader'
+import { fromProcess } from '@aws-sdk/credential-provider-process'
+import { fromContainerMetadata, fromInstanceMetadata } from '@smithy/credential-provider-imds'
+import { fromEnv } from '@aws-sdk/credential-provider-env'
 import { IamProvider } from '../iam/iamProvider'
 
 type SsoTokenSource = IamIdentityCenterSsoTokenSource | AwsBuilderIdSsoTokenSource
@@ -181,6 +184,12 @@ export class IdentityService {
                 stsCache: this.stsCache,
                 stsAutoRefresher: this.stsAutoRefresher,
                 handlers: this.handlers as IamHandlers,
+                providers: {
+                    fromProcess: fromProcess,
+                    fromContainerMetadata: fromContainerMetadata,
+                    fromInstanceMetadata: fromInstanceMetadata,
+                    fromEnv: fromEnv,
+                },
                 token: token,
                 observability: this.observability,
             }