feat(auth): add console credentials sign-in option to login webview (#8401)

## Problem

Users can use a beginner-friendly interface to authenticate with AWS
Console credentials to obtain temporary credentials, especially for new
AWS users. This GUI-based offers alternative to `aws login` command-line
authentication.

Reference:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sign-in.html

## Solution

- Add "Console credentials - recommended" option to login webview
- Restrict profile name input to alphanumeric, underscore, and hyphen
characters (following [profile name
pattern](https://github.com/keenwilson/aws-toolkit-vscode/blob/89739bc176c28321f64cd672664014d1ddfed533/packages/core/src/auth/consoleSessionUtils.ts#L48))
- Show "Opening AWS sign-in in your default browser..." during
authentication
- Redirect to explorer view upon successful sign-in

Note:
- The UI flow follows the same pattern as IAM credentials setup, with
these key differences:
  - Console credentials form takes profile name and region (optional)
  - IAM credentials form takes access key and secret key
  - Different telemetry emitted for credential source ID:
     - Console credentials: 'consoleCredentials'
      - IAM credentials: 'sharedCredentials'
- Telemetry for credential source ID is tracked via
aws/aws-toolkit-common#1108
- AWS CLI returns exit code 255 if browser-based authentication is not
completed, this prevents partial/incomplete authentication states
- Reuse `fromLoginCredentials` provider instance to prevent multiple
credential resolution attempts and maintain consistent refresh behavior
at
[resolveProviderWithCancel](https://github.com/aws/aws-toolkit-vscode/blob/eb11eb59318ab83a1f609e472eab760ea38201d1/packages/core/src/auth/providers/sharedCredentialsProvider.ts#L256)
in sharedCredentialsProvider

## UI Changes

- Added "Console credentials - recommended" as first option in login
selection

<img width="1122" height="633" alt="1-start"
src="https://github.com/user-attachments/assets/3d46b1ee-9730-4834-ac64-328a5b92227c"
/>

- Created profile name input with validation for letters, numbers, - and
_
- Made region selection optional with us-east-1 default

<img width="1122" height="631" alt="4-console-profile"
src="https://github.com/user-attachments/assets/f1acfffb-40b6-4f7e-a87a-96da6b0ff59d"
/>

- Shows clear guidance during browser authentication flow
<img width="1150" height="765" alt="Opening AWS sign-in in your default
browser."
src="https://github.com/user-attachments/assets/9f04fea4-0980-4eef-9b3f-e5c2caa9fbc5"
/>

- Attempt to update AWS CLI if the version < 2.32.0

<img width="1086" height="710" alt="Screenshot 2025-12-11 at 4 31 17 PM"
src="https://github.com/user-attachments/assets/77cbc5b6-b238-4db1-bc21-d178081bc298"
/>

### Known Issue: Windows PATH Environment After AWS CLI Installation

When installing or updating AWS CLI v2 through the toolkit on Windows
machine within a managed enterprise or workspace environment, the
installation may appear successful, but users receive the error:

```
[error] aws.toolkit.auth.consoleLogin: Error: Failed to verify or install AWS CLI [CliInstallFailed]
	 -> Error: Could not verify installed CLIs
```

This typically occurs because the installer successfully places the
necessary files in the default directory (`C:\Program
Files\Amazon\AWSCLIV2\`), but security policies or user permissions
within the workspace prevent the installer from correctly or immediately
updating the system's PATH environment variable. The command prompt
doesn't know where to look for the `aws.exe` file.

You can verify the installation using the full path and contact your IT
support to add the installation path (`C:\Program
Files\Amazon\AWSCLIV2\`) to the System variables `PATH` environment
variable.
```powershell
"C:\Program Files\Amazon\AWSCLIV2\aws.exe" --version

```
 

 
---

- Treat all work as PUBLIC. Private `feature/x` branches will not be
squash-merged at release time.
- Your code changes must meet the guidelines in
[CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines).
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.

Author: keenwilson

package-lock.json

@@ -42,7 +42,7 @@
         "scan-licenses": "ts-node ./scripts/scan-licenses.ts"
     },
     "devDependencies": {
-        "@aws-toolkits/telemetry": "^1.0.338",
+        "@aws-toolkits/telemetry": "^1.0.341",
         "@playwright/browser-chromium": "^1.43.1",
         "@stylistic/eslint-plugin": "^2.11.0",
         "@types/he": "^1.2.3",

package.json

@@ -9,7 +9,8 @@ const localize = nls.loadMessageBundle()
 
 import { getLogger } from '../shared/logger/logger'
 import { ChildProcess } from '../shared/utilities/processUtils'
-import { getOrInstallCli } from '../shared/utilities/cliUtils'
+import { getOrInstallCli, updateAwsCli } from '../shared/utilities/cliUtils'
+import { CancellationError } from '../shared/utilities/timeoutUtils'
 import { ToolkitError } from '../shared/errors'
 import { telemetry } from '../shared/telemetry/telemetry'
 import { Auth } from './auth'
@@ -24,46 +25,45 @@ import { createRegionPrompter } from '../shared/ui/common/region'
  * @param region Optional AWS region. If not provided, user will be prompted.
  */
 export async function authenticateWithConsoleLogin(profileName?: string, region?: string): Promise<void> {
-    await telemetry.auth_consoleLoginCommand.run(async (span) => {
-        span.record({ authConsoleLoginStarted: true }) // Track entry into flow (raw count)
-        const logger = getLogger()
+    const logger = getLogger()
 
-        // Prompt for profile name if not provided
-        if (!profileName) {
-            const profileNameInput = await vscode.window.showInputBox({
-                prompt: localize('AWS.message.prompt.consoleLogin.profileName', 'Enter a name for this profile'),
-                placeHolder: localize('AWS.message.placeholder.consoleLogin.profileName', 'profile-name'),
-                validateInput: (value) => {
-                    if (!value || value.trim().length === 0) {
-                        return localize(
-                            'AWS.message.error.consoleLogin.emptyProfileName',
-                            'Profile name cannot be empty'
-                        )
-                    }
-                    if (/\s/.test(value)) {
-                        return localize(
-                            'AWS.message.error.consoleLogin.spacesInProfileName',
-                            'Profile name cannot contain spaces'
-                        )
-                    }
-                    if (!/^[a-zA-Z0-9_-]+$/.test(value)) {
-                        return localize(
-                            'AWS.message.error.consoleLogin.invalidCharacters',
-                            'Profile name can only contain letters, numbers, underscores, and hyphens'
-                        )
-                    }
-                    return undefined
-                },
+    // Prompt for profile name if not provided
+    if (!profileName) {
+        const profileNameInput = await vscode.window.showInputBox({
+            prompt: localize('AWS.message.prompt.consoleLogin.profileName', 'Enter a name for this profile'),
+            placeHolder: localize('AWS.message.placeholder.consoleLogin.profileName', 'profile-name'),
+            validateInput: (value) => {
+                if (!value || value.trim().length === 0) {
+                    return localize('AWS.message.error.consoleLogin.emptyProfileName', 'Profile name cannot be empty')
+                }
+                if (/\s/.test(value)) {
+                    return localize(
+                        'AWS.message.error.consoleLogin.spacesInProfileName',
+                        'Profile name cannot contain spaces'
+                    )
+                }
+                if (!/^[a-zA-Z0-9_-]+$/.test(value)) {
+                    return localize(
+                        'AWS.message.error.consoleLogin.invalidCharacters',
+                        'Profile name can only contain letters, numbers, underscores, and hyphens'
+                    )
+                }
+                return undefined
+            },
+        })
+
+        if (!profileNameInput) {
+            throw new ToolkitError('User cancelled entering profile', {
+                cancelled: true,
             })
+        }
 
-            if (!profileNameInput) {
-                throw new ToolkitError('User cancelled entering profile', {
-                    cancelled: true,
-                })
-            }
+        profileName = profileNameInput.trim()
+    }
 
-            profileName = profileNameInput.trim()
-        }
+    // After user interaction has occurred, we can safely emit telemetry
+    await telemetry.auth_consoleLoginCommand.run(async (span) => {
+        span.record({ authConsoleLoginStarted: true }) // Track entry into flow (raw count)
 
         // Prompt for region if not provided
         if (!region) {
@@ -216,7 +216,8 @@ export async function authenticateWithConsoleLogin(profileName?: string, region?
                 void vscode.window.showErrorMessage(
                     localize(
                         'AWS.message.error.consoleLogin.signinServiceError',
-                        'The command was successfully parsed and a request was made to the AWS Sign-in service but the service returned an error. Please try again.'
+                        'Unable to sign in with console credentials in "{0}". Please try another region.',
+                        region
                     )
                 )
                 throw new ToolkitError('AWS Sign-in service returned an error', {
@@ -225,6 +226,21 @@ export async function authenticateWithConsoleLogin(profileName?: string, region?
                         exitCode: result.exitCode,
                     },
                 })
+            } else if (result.exitCode === 252) {
+                // AWS CLI is outdated, attempt to update
+                try {
+                    await updateAwsCli()
+                    // Retry the login command after successful update
+                    return await authenticateWithConsoleLogin(profileName, region)
+                } catch (err) {
+                    if (CancellationError.isUserCancelled(err)) {
+                        throw new ToolkitError('User cancelled updating AWS CLI', {
+                            cancelled: true,
+                        })
+                    }
+                    logger.error('Failed to update AWS CLI: %O', err)
+                    throw ToolkitError.chain(err, 'AWS CLI update failed')
+                }
             } else {
                 // Show generic error message
                 void vscode.window.showErrorMessage(

packages/core/src/auth/consoleSessionUtils.ts

@@ -90,7 +90,6 @@ export class SharedCredentialsProvider implements CredentialsProvider {
         if (hasProps(this.profile, SharedCredentialsKeys.SSO_START_URL)) {
             return 'ssoProfile'
         } else if (hasProps(this.profile, SharedCredentialsKeys.CONSOLE_SESSION)) {
-            // @ts-ignore wait for https://github.com/aws/aws-toolkit-common/commit/f3a7c462000b1261ffce2b31ef00e99f73255d48
             return 'consoleSessionProfile'
         } else if (this.isCredentialSource(credentialSources.EC2_INSTANCE_METADATA)) {
             return 'ec2Metadata'
@@ -358,7 +357,7 @@ export class SharedCredentialsProvider implements CredentialsProvider {
 
         if (hasProps(this.profile, SharedCredentialsKeys.CONSOLE_SESSION)) {
             logger.verbose(
-                `Profile ${this.profileName} contains ${SharedCredentialsKeys.CONSOLE_SESSION} - treating as regular Shared Credentials`
+                `Profile ${this.profileName} contains ${SharedCredentialsKeys.CONSOLE_SESSION} - treating as Console Credentials`
             )
 
             return this.makeConsoleSessionCredentialsProvider()
@@ -398,15 +397,16 @@ export class SharedCredentialsProvider implements CredentialsProvider {
 
     private makeConsoleSessionCredentialsProvider() {
         const defaultRegion = this.getDefaultRegion() ?? 'us-east-1'
+        const baseProvider = fromLoginCredentials({
+            profile: this.profileName,
+            clientConfig: {
+                region: this.getDefaultRegion() ?? 'us-east-1',
+            },
+        })
+
         return async () => {
             try {
-                const provider = fromLoginCredentials({
-                    profile: this.profileName,
-                    clientConfig: {
-                        region: defaultRegion,
-                    },
-                })
-                return await provider()
+                return await baseProvider()
             } catch (error) {
                 getLogger().error(
                     'Console login authentication failed for profile %s in region %s: %O',
@@ -418,8 +418,22 @@ export class SharedCredentialsProvider implements CredentialsProvider {
                 if (
                     error instanceof Error &&
                     (error.message.includes('Your session has expired') ||
-                        error.message.includes('Failed to load a token for session'))
+                        error.message.includes('Failed to load a token for session') ||
+                        error.message.includes('Failed to load token from'))
                 ) {
+                    // Ask for user confirmation before refreshing
+                    const response = await vscode.window.showInformationMessage(
+                        `Unable to use your console credentials for profile "${this.profileName}". Would you like to refresh it?`,
+                        'Refresh',
+                        'Cancel'
+                    )
+
+                    if (response !== 'Refresh') {
+                        throw ToolkitError.chain(error, 'User cancelled console credentials token refresh.', {
+                            code: 'LoginSessionRefreshCancelled',
+                            cancelled: true,
+                        })
+                    }
                     getLogger().info('Re-authenticating using console credentials for profile %s', this.profileName)
                     // Execute the console login command with the existing profile and region
                     try {
@@ -440,14 +454,8 @@ export class SharedCredentialsProvider implements CredentialsProvider {
                         'Authentication completed for profile %s, refreshing credentials...',
                         this.profileName
                     )
-                    // Retry with fresh credentials
-                    const refreshedProvider = fromLoginCredentials({
-                        profile: this.profileName,
-                        clientConfig: {
-                            region: defaultRegion,
-                        },
-                    })
-                    return await refreshedProvider()
+                    // Use the same provider instance but get fresh credentials
+                    return await baseProvider()
                 }
                 throw ToolkitError.chain(error, `Failed to get console credentials`, {
                     code: 'FromLoginCredentialProviderError',

packages/core/src/auth/providers/sharedCredentialsProvider.ts

@@ -210,6 +210,10 @@ export class AmazonQLoginWebview extends CommonAuthWebview {
         return []
     }
 
+    override startConsoleCredentialSetup(profileName: string, region: string): Promise<AuthError | undefined> {
+        throw new Error('Method not implemented.')
+    }
+
     override startIamCredentialSetup(
         profileName: string,
         accessKey: string,

packages/core/src/login/webview/vue/amazonq/backend_amazonq.ts

@@ -171,6 +171,8 @@ export abstract class CommonAuthWebview extends VueWebview {
         return Auth.instance.authenticateData(data)
     }
 
+    abstract startConsoleCredentialSetup(profileName: string, region: string): Promise<AuthError | undefined>
+
     abstract startIamCredentialSetup(
         profileName: string,
         accessKey: string,