fix(auth): prevent connection usage when console login is cancelled or fails (#8580)

## Problem

- #8537 introduced
setupConsoleConnection() and getFunctionWithFallback() to handle
authentication fallback for Lambda console-to-IDE transitions.
- When developers click "Open in VSCode" and their local AWS profile is
invalid, toolkit automatically triggers browser-based console login as a
fallback. However, console login requires prerequisites that not all
developers can complete. When developers cancel console login, the CLI
never writes the connection profile to disk. The Toolkit then attempts
to use this non-existent connection, resulting in "Connection does not
exist" errors.






<img width="471" height="265"
alt="problem-before-the-fix-connection-does-not-exist"
src="https://github.com/user-attachments/assets/fd973ce1-7b28-4474-8b55-b0408c67e0ce"
/>


## Solution

- Verify connection exists in `setupConsoleConnection()` after
"aws.toolkit.auth.consoleLogin" completes
- Show warning message with link to [prerequisites
documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sign-in.html#cli-configure-sign-in-prerequisites)
when connection verification fails
- Throw ToolkitError to halt execution and prevent downstream connection
usage

<img width="1293" height="302" alt="update-message-with-learnmore"
src="https://github.com/user-attachments/assets/a1d35f14-4c42-43c1-8417-b6532ed00e9a"
/>

<img width="1042" height="625" alt="click-learnmore-show-dialog"
src="https://github.com/user-attachments/assets/aace3330-4ea8-4bd8-ad24-e8e956f09c45"
/>


### Background

The Lambda load-function URI handler enables a seamless workflow where
users can click "Open in Visual Studio Code" from the AWS Lambda console
to view, edit, and deploy their Lambda functions directly in their
preferred IDE. This feature downloads the function code locally, opens
it in VS Code, and allows users to make changes and deploy updates back
to AWS—all without leaving their development environment.



---

- Treat all work as PUBLIC. Private `feature/x` branches will not be
squash-merged at release time.
- Your code changes must meet the guidelines in
[CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines).
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.

Author: keenwilson

packages/core/src/auth/utils.ts

@@ -10,6 +10,7 @@ const localize = nls.loadMessageBundle()
 
 import * as vscode from 'vscode'
 import * as localizedText from '../shared/localizedText'
+import { consoleSessionHelpUrl } from '../shared/constants'
 import { codicon, getIcon } from '../shared/icons'
 import { createQuickPick, DataQuickPickItem, showQuickPick } from '../shared/ui/pickerPrompter'
 import { isValidResponse } from '../shared/wizards/wizard'
@@ -926,5 +927,19 @@ export async function setupConsoleConnection(profileName: string, region: string
     getLogger().info('Auth: Sets up a connection via browser login for profile: %s, region: %s', profileName, region)
     await vscode.commands.executeCommand('aws.toolkit.auth.consoleLogin', profileName, region)
     const connectionId = getConnectionIdFromProfile(profileName)
+    // Verify connection was actually created before trying to use it.
+    // The telemetry wrapper around the console login command catches and logs errors but returns undefined
+    // instead of re-throwing them. When users cancel (userCancelled=true), the command completes without error,
+    // so we must check if the connection exists before attempting to use it to avoid confusing downstream errors.
+    const connection = await Auth.instance.getConnection({ id: connectionId })
+    if (!connection) {
+        const message = 'Unable to connect to AWS. Console login was cancelled or did not complete successfully.'
+        void vscode.window.showWarningMessage(message, localizedText.learnMore).then((selection) => {
+            if (selection === localizedText.learnMore) {
+                void vscode.env.openExternal(vscode.Uri.parse(consoleSessionHelpUrl))
+            }
+        })
+        throw new ToolkitError(message, { cancelled: true })
+    }
     await Auth.instance.useConnection({ id: connectionId })
 }

packages/core/src/shared/constants.ts

@@ -43,7 +43,8 @@ export const credentialHelpUrl: string =
     'https://docs.aws.amazon.com/toolkit-for-vscode/latest/userguide/setup-credentials.html'
 export const ssoCredentialsHelpUrl: string =
     'https://docs.aws.amazon.com/toolkit-for-vscode/latest/userguide/sso-credentials.html'
-
+export const consoleSessionHelpUrl: string =
+    'https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sign-in.html#cli-configure-sign-in-prerequisites'
 export const supportedLambdaRuntimesUrl: string =
     'https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html'
 export const createUrlForLambdaFunctionUrl = 'https://docs.aws.amazon.com/lambda/latest/dg/urls-configuration.html'

packages/core/src/test/auth/utils.test.ts

@@ -9,6 +9,7 @@ import * as vscode from 'vscode'
 import { Auth } from '../../auth/auth'
 import { ToolkitError } from '../../shared/errors'
 import * as authUtils from '../../auth/utils'
+import { getTestWindow } from '../shared/vscode/window'
 
 describe('getConnectionIdFromProfile', function () {
     it('constructs connection ID from profile name', function () {
@@ -35,16 +36,39 @@ describe('setupConsoleConnection', function () {
 
     it('creates connection after successful console login', async function () {
         const executeCommandStub = sandbox.stub(vscode.commands, 'executeCommand').resolves()
+        const getConnectionStub = sandbox
+            .stub(Auth.instance, 'getConnection')
+            .resolves({ id: 'profile:test-profile' } as any)
         const useConnectionStub = sandbox.stub(Auth.instance, 'useConnection').resolves()
 
         await authUtils.setupConsoleConnection('test-profile', 'us-east-1')
 
         assert.ok(executeCommandStub.calledOnceWith('aws.toolkit.auth.consoleLogin', 'test-profile', 'us-east-1'))
+        assert.ok(getConnectionStub.calledOnceWith({ id: 'profile:test-profile' }))
         assert.ok(useConnectionStub.calledOnceWith({ id: 'profile:test-profile' }))
     })
 
+    it('throws error when connection was not created', async function () {
+        sandbox.stub(vscode.commands, 'executeCommand').resolves()
+        sandbox.stub(Auth.instance, 'getConnection').resolves(undefined)
+        getTestWindow().onDidShowMessage((m) => m.close())
+
+        await assert.rejects(
+            () => authUtils.setupConsoleConnection('test-profile', 'us-east-1'),
+            (err: ToolkitError) => {
+                assert.strictEqual(
+                    err.message,
+                    'Unable to connect to AWS. Console login was cancelled or did not complete successfully.'
+                )
+                assert.strictEqual(err.cancelled, true)
+                return true
+            }
+        )
+    })
+
     it('throws error when useConnection fails', async function () {
         sandbox.stub(vscode.commands, 'executeCommand').resolves()
+        sandbox.stub(Auth.instance, 'getConnection').resolves({ id: 'profile:test-profile' } as any)
         const error = new Error('useConnection failed')
         sandbox.stub(Auth.instance, 'useConnection').rejects(error)
 

packages/toolkit/.changes/next-release/Bug Fix-726900f0-c604-49ba-85ca-d35d454ffa9d.json

@@ -0,0 +1,4 @@
+{
+	"type": "Bug Fix",
+	"description": "Lamdbda: Console-to-IDE transition shows \"Connection does not exist\" error when console login is cancelled or fail."
+}