fix(cwl): Pass in active credentials when creating CWL client for LiveTail #5993
Conversation
|
| @@ -25,12 +25,16 @@ export async function tailLogGroup( | |||
| if (!wizardResponse) { | |||
| throw new CancellationError('user') | |||
| } | |||
|
|
|||
| const awsCredentials = await globals.awsContext.getCredentials() | |||
There was a problem hiding this comment.
I'm not familiar with how this works under the hood. Will it fall back to default credentials if nobody is logged into the toolkit? Or does it require someone to be logged in? If so, maybe we should re-direct them to login with credentials if they do not exist?
There was a problem hiding this comment.
If you have no selected credential, the explorer side bar will prompt you to add/select one.
If the selected credential is expired, it will say that, and give you an option to re-authenticate.
If your credential is expired/unselected and you try to select TailLogGroup from the command palette, this first picker to select a LogGroup will show [Error loading Items] Toolkit is not logged in.
|
Note that this is part of the motivation for #5940 , where we are starting work on a v3 "client builder" which will handle this stuff automatically. We have a v2 clientbuilder already, but are missing one for v3. @Hweinstock |
| const liveTailSessionConfig: LiveTailSessionConfiguration = { | ||
| logGroupArn: wizardResponse.regionLogGroupSubmenuResponse.data, | ||
| logStreamFilter: wizardResponse.logStreamFilter, | ||
| logEventFilterPattern: wizardResponse.filterPattern, | ||
| region: wizardResponse.regionLogGroupSubmenuResponse.region, | ||
| awsCredentials: awsCredentials, |
There was a problem hiding this comment.
would it make sense to call globals.awsContext.getCredentials() implicitly in your client, instead of plumbing it through like this?
There was a problem hiding this comment.
I explored that. But ran into an issue. We currently build & set the CWL client on theLiveTailSession in its constructor. globals.awsContext.getCredentials() is async, which cannot be awaited in the constructor since constructors cannot also be aysnc.
Hence why we are awaiting the credentials in tailLogGroup command, and plumbing it.
Something I just considered is that we could maybe construct and set the CWL client only when startLiveTail is actually called, since that is when the Client is actually needed. That method can be async. I'll explore that more and follow up.
There was a problem hiding this comment.
lobals.awsContext.getCredentials()isasync, which cannot beawaited in the constructor since constructors cannot also be aysnc.
We usually add a create() "factory function" to work around that, and make the constructor private.
Problem
When creating the CloudWatchClient for a LiveTail session, we are not specifying which credentials to use. This is causing the client to always use the
Defaultcredential profile, even if a different AWS Credential profile is selected within AWSToolkit.Solution
Resolve the active AWS credential from
globals.awsContext, and supply that to the LiveTailSession constructor. These credentials are then use to construct the CWL client.License: I confirm that my contribution is made under the terms of the Apache 2.0 license.