feat(amazonq): Enable SageMaker SSO Users to use AmazonQ Chat & Code completion using their Credentials & Q Pro-tier profile

[ahusseinali]

Problem

SageMaker Amazon Q Pro-tier users didn't have the ability to use their pro-tier profile ARN when using Amazon Q Chat & Code Completion. Previously, we had SageMaker pro-tier SSO users unable to automatically use their Code Editor login credentials to create an auth connection with Amazon Q APIs. This meant they have to re-login in order to use AmazonQ chat & Code Completion.

One big obstacle to enable auto-login for SSO users was that their credentials are stored in HttpOnly Cookie and a change had to be set in place in SageMaker Code Editor environment in order for AmazonQ extension to be able to read the cookie value and send it as bearer token.

Solution

Along with a change implemented for SageMaker Code Editor in https://github.com/aws/sagemaker-code-editor/pull/99/files
This PR implements the following:

1. SageMaker client to read SageMaker user domain status to identify whether pro-tier is enabled or not & read the cookie value through custom SageMaker code editor command.
   1.1. In case Pro-tier is not enabled, the login flow is similar to IAM SageMaker users (using Container environment variables)
   1.2. The custom command execution stores cookie values into a file and the client reads the value from that file.
2. SageMakerSSOTokenProvider: Custom token provider parallel to the original SSO Token provider. It doesn't go through any creation UI logic as the token already exists in file. This provider polls for token refresh every 5 minutes integrating with the client mentioned in Support listing multiple user-selected regions in explorer #1
3. Pass Q Pro-tier ProfileARN (if it is enabled) to API calls that need it for SSO users
4. Change the connection validation logic to account for valid pre-created SSO connections for SageMaker environment.
5. Add Auto connect logic for SSO user flow in SageMaker

Followup steps

Simplify the logic for communicating the SSO credentials and creating a connection based on such credentials, by letting SageMaker Code Editor create a standard AWS Credentials File & adding a watcher logic in AWS toolkit codebase to automatically sync with such file existence

---

• Treat all work as PUBLIC. Private feature/x branches will not be squash-merged at release time.
• Your code changes must meet the guidelines in CONTRIBUTING.md.
• License: I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

• This pull request modifies code in src/* but no tests were added/updated.
  • Confirm whether tests should be added or ensure the PR description explains why tests are not required.

[hayemaxi]

This implies that this token provider would work with toolkit. Is that intended?

Are the SSO scopes required? If not, do not attach them.

Suggested change

	let scopes = [...scopesSsoAccountAccess]
	if (isAmazonQ()) {
	scopes = [...scopes, ...SageMakerSpaceClient.getQConnectionScopes()]
	}
	const scopes = [isAmazonQ() ? ...SageMakerSpaceClient.getQConnectionScopes() : ...scopesSsoAccountAccess]

[hayemaxi]

Can we give users all amazon Q scopes? Why are we only giving this subset

[hayemaxi]

"CodeWhisperer" is no more

Suggested change

	"description": "Enable SageMaker SSO user access token & Profile ARN to be used for accessing AmazonQ & CodeWhisperer features"
	"description": "Auth: Enable SSO access for SageMaker users."

[hayemaxi]

Could the connection already exist in a saved state from a prior session?

[hayemaxi]

I don't think this pattern makes sense. This class is a singleton accessible via getInstance only, so you can never pass a custom sageMakerClient. The constructor is private.

[hayemaxi]

Follow the same format that we have in other singletons for consistency

aws-toolkit-vscode/packages/core/src/codewhisperer/util/authUtil.ts

Lines 234 to 241 in e6c3101

	public static get instance() {
	if (this.#instance !== undefined) {
	return this.#instance
	}
	const self = (this.#instance = new this())
	return self
	}

Suggested change

	public static getInstance(): SageMakerSpaceClient {
	if (!this._instance) {
	this._instance = new SageMakerSpaceClient()
	}
	return this._instance
	}
	public static get instance() {
	if (!this.#instance) {
	this.#instance = new SageMakerSpaceClient()
	}
	return this.#instance
	}

[hayemaxi]

What is a profile ARN and why do we want it? Please add a docstring

[hayemaxi]

Use constants in

aws-toolkit-vscode/packages/core/src/shared/datetime.ts

Line 10 in e6c3101

export const oneMinute = oneSecond * 60

e.g.

Suggested change

	const TOKEN_EXPIRY = 5 * 60 * 1000
	const TOKEN_EXPIRY = oneMinute * 5

[hayemaxi]

Nothing is guaranteed to exist in the sagemaker cookie? Would be nice if we had some documentation about sagemaker expectations (if it doesn't already exist)

[hayemaxi]

We already have logic for this. Use

aws-toolkit-vscode/packages/core/src/shared/regions/regionProvider.ts

Line 46 in e6c3101

return this.awsContext.getCredentialDefaultRegion() ?? defaultRegion

in globals, e.g.:

globals.regionProvider

[hayemaxi]

Is packages/amazonq going to use this soon? Otherwise this isn't needed.

[hayemaxi]

Suggested change

	let useDefaultCredentials = true
	if (isSageMaker() && isAmazonQ()) {
	useDefaultCredentials = !(await SageMakerSpaceClient.getInstance().getAmazonQProfileArn())
	}
	if (useDefaultCredentials) {
	const useDefaultCredentials = isSageMaker() && isAmazonQ() && !(await SageMakerSpaceClient.getInstance().getAmazonQProfileArn())
	if (useDefaultCredentials) {

[hayemaxi]

This isn't a URL... can we use sagemakerCookie.redirectURL? I'm worried about callers using this field with functions expecting a real URL.