fix(lambda): add console credential fallback for Lambda URI handler

[keenwilson]

Problem

• Users without pre-configured credentials encounter authentication errors when opening Lambda functions from console
• Credential mismatches between console account and local profile cause errors even when function is accessible in console:
  • ResourceNotFoundException when function exists in console account but not in local profile account
  • AccessDeniedException when local credentials lack lambda:GetFunction permission but console credentials have access

Solution

• Add setupConsoleConnection() to encapsulate browser-based AWS CLI aws login authentication and use the new connection
• Add getFunctionWithFallback() to retrieve Lambda configuration with automatic console login fallback
• Integrate fallback into openLambdaFolderForEdit() to handle missing credentials and credential mismatches
• Improve error handling to distinguish credential mismatches and resource access issues
  • Handle ResourceNotFoundException by showing account-specific error message before fallback
  • Handle AccessDeniedException by showing permission error message before fallback

Screenshots

Show warning message when Lambda GetFunction API returns ResourceNotFoundException, then automatically proceed with console login flow

Show warning message when Lambda GetFunction API returns AccessDeniedException, then automatically proceed with console login flow

Background

The Lambda load-function URI handler enables a seamless workflow where users can click "Open in Visual Studio Code" from the AWS Lambda console to view, edit, and deploy their Lambda functions directly in their preferred IDE. This feature downloads the function code locally, opens it in VS Code, and allows users to make changes and deploy updates back to AWS—all without leaving their development environment.

Testing

• Tested with no local credentials configured
• Tested credential mismatch scenarios:
  • ResourceNotFoundException (function in console account but not local profile account)
  • AccessDeniedException (local credentials lack permission, console credentials have access)
• Tested user cancellation flow
• Test with SSO connection active

---

• Treat all work as PUBLIC. Private feature/x branches will not be squash-merged at release time.
• Your code changes must meet the guidelines in CONTRIBUTING.md.
• License: I confirm that my contribution is made under the terms of the Apache 2.0 license.

[amazon-inspector-ohio]

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

[amazon-inspector-ohio]

✅ I finished the code review, and didn't find any security or code quality issues.

[valerena]

Why do we need to check that it's an IamConnection?

The previous getFunctionWithCredentials used a fromSSO for the case where the connection wasn't iam.

aws-toolkit-vscode/packages/core/src/shared/clients/lambdaClient.ts

Lines 350 to 351 in 8b4d088

	const credentials =
	connection.type === 'iam' ? await connection.getCredentials() : fromSSO({ profile: connection.id })

should we still consider that case too before going to create a console connection?

[keenwilson]

Good call. I removed the IamConnection type pre-check.

[valerena]

We retrieved the credentials in this getIAMConnectionOrFallbackToConsole, but then we're not using those credentials here, so inside this method we need to get the credentials again. Shouldn't we pass the credentials directly here, now that we have them? Or is there a reason to just make the method retrieve them directly instead of passing them as a parameter?

[keenwilson]

Thank you for pointing this out. I removed getIAMConnectionOrFallbackToConsole entirely since it duplicated credential retrieval logic in getFunctionWithCredentials.

[valerena]

Just to confirm the behavior:
So we're trying to get the credentials. If there are credentials we use those, but if they don't exist, we create the console connection.
Then we try to get the function, but if we fail because of different reasons, then we try again to create the console connection.

Could it happen that we create the console connection twice? If they didn't have a connection initially so we create the console connection, but then their console session has one of these errors? (maybe we want to retry?)

[keenwilson]

This was a very good point. I cleaned up the retry behavior to avoid setting up console connection for the second-time.

Here are the current scenarios handled by getFunctionWithFallback:

Active connection → success (no console setup)
Active connection → get function error (ResourceNotFoundException/AccessDeniedException) → show message → console retry → success
Active connection → get function error (other errors) → console retry (no message) → success
No connection → console setup → success
No connection → console setup → get function error (ResourceNotFoundException/AccessDeniedException) → show message → throw (no retry)
No connection → console setup → get function error (other errors) → throw (no message, no retry)
No connection → console setup error → throw (no message)

[seshubaws]

small thing but i wonder since this method says it's doing two things by way of the "and" should it be split into two methods for maintainability?

[keenwilson]

Agreed. I refactored the credential ID handling and made this function (renamed to setupConsoleConnection) only owns the console-connection setup path. The extra getConnection check was removed since useConnection already validates internally.

[seshubaws]

Should we log something here?

[keenwilson]

Since we removed the redundant credential pre-check, this log is no longer needed.

[seshubaws]

nit: lets just name this activeConnection, feels redundant to have "tryActiveConnection" inside the try block

[keenwilson]

Really appreciate the detailed feedback. I updated to activeConnection. Thanks a lot, Seshu.