Skip to content

test: Add stubs for SSO login to IAM domain testing#8652

Draft
ziwikiwi wants to merge 1 commit intoaws:masterfrom
ziwikiwi:test-stub-redeem-token
Draft

test: Add stubs for SSO login to IAM domain testing#8652
ziwikiwi wants to merge 1 commit intoaws:masterfrom
ziwikiwi:test-stub-redeem-token

Conversation

@ziwikiwi
Copy link
Contributor

@ziwikiwi ziwikiwi commented Mar 8, 2026

Problem

** TEST PR DO NOT MERGE **
Tested scoped-down admin credentials to see if we can get to use project credentials for IAM domain activities for an SSO user. There are a couple of places where we need to switch to use the domain type (IAM) instead of the login type, which is set to an SSO user.

Tested by changing the admin project role to a role with just the scoped-down admin credentials, and changing SSORedeemToken to only vend that role's credentials.

Solution

For the credential routing fixes below

Credential Routing Fixes (flagged with smusIamDomainSsoTest)

These places were using DER/domain credentials but need project credentials for IAM domain SSO login. They may need to be flagged for this to work.

Dev Settings Added (settings.ts)

Three new aws.dev.* settings:

Setting Purpose
smusStubDerCredentials Bypass /sso/redeem-token, inject hardcoded credentials as DER
smusStubSsoIssuerUrl Bypass SSO browser login, create fake SSO connection
smusIamDomainSsoTest Use project credentials for getToolingEnvironment and connection credentials (IAM domain type flag
File What Changed
sageMakerUnifiedStudioProjectNode.ts getToolingEnvironment → project creds
sageMakerUnifiedStudioSpacesParentNode.ts getToolingEnvironment (for SageMaker domain ID) → project creds
sageMakerUnifiedStudioConnectionParentNode.ts fetchConnections (Data Warehouse/Processing) → project creds
connectionCredentialsProvider.ts Connection credentials → project creds
smusAuthenticationProvider.ts getToolingEnvironment in getProjectAccountId → project creds
datazoneClient.ts getToolingBlueprintName returns ToolingLite when flag set
  • Treat all work as PUBLIC. Private feature/x branches will not be squash-merged at release time.
  • Your code changes must meet the guidelines in CONTRIBUTING.md.
  • License: I confirm that my contribution is made under the terms of the Apache 2.0 license.

@amazon-inspector-ohio
Copy link

amazon-inspector-ohio bot commented Mar 8, 2026

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

@github-actions
Copy link

github-actions bot commented Mar 8, 2026

  • This pull request modifies code in src/* but no tests were added/updated.
    • Confirm whether tests should be added or ensure the PR description explains why tests are not required.

@amazon-inspector-ohio
Copy link

amazon-inspector-ohio bot commented Mar 8, 2026

✅ I finished the code review, and didn't find any security or code quality issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ziwikiwi @amaziwi