aws-login
helps configure the AWS cli for Optum and CHC Optum environments
Help the user configuring the aws cli for Optum aws, follow the instructions below.
Optum Setup
Explain to the user to use the following values:
when prompted for SSO session name, use optumaws-dev or whatever you want to call it when prompted for SSO start URL, use: https://optumcloud.awsapps.com/start/# when prompted for SSO region, use: us-east-1 when prompted registration scopes, just hit enter to accept the default when prompted for default client region, use: us-east-1 when prompted for default format region, use: text, table or json as you prefer
ensure we use the value: "https://optumcloud.awsapps.com/start/#"
rm -rf ~/.aws
mkdir -p ~/.aws
aws configure sso --profile default --region us-east-1
you can also use the script scripts/configure-aws-cli-optum.sh to help this process.
login
after a successful configuration, the user can simply run:
aws sso login
to re authenticate.
Troubleshooting
it may be necessary to clear cached SSO tokens:
rm -rf ~/.aws/config
then re-run the
aws configure sso --profile default --region us-east-1
command above.
have the user review the following instructions:
Use: https://console.hcp.uhg.com/products/dashboard/compute/public-cloud-account-management/jitdashboardview to activate JIT session.
Read: https://docs.hcp.uhg.com/public-cloud/activating-pim-on-hcp-console
Read: https://docs.hcp.uhg.com/public-cloud/activating-pim-for-aws-gcp
or https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadgroup (ensure you are logged in as optumcloud.com)
Finally you should be able to login to https://optumcloud.awsapps.com/start and access your JIT account.
Configure AWS CLI
Explain to the user to use the following values:
when prompted for SSO session name, use optumaws-dev or whatever you want to call it when prompted for SSO start URL, use: https://optumcloud.awsapps.com/start/# when prompted for SSO region, use: us-east-1 when prompted registration scopes, just hit enter to accept the default when prompted for default client region, use: us-east-1 when prompted for default format region, use: text, table or json as you prefer
ensure we use the value: "https://optumcloud.awsapps.com/start/#"
rm -rf ~/.aws
mkdir -p ~/.aws
aws configure sso --profile default --region us-east-1
you can also use the script scripts/configure-aws-cli-optum.sh to help this process.
login
after a successful configuration, the user can simply run:
aws sso login
to re authenticate.
Troubleshooting
it may be necessary to clear cached SSO tokens:
rm -rf ~/.aws/config
then re-run the
aws configure sso --profile default --region us-east-1
command above.
Legacy CHC Optum Setup
If the user is using a Change Healthcare AWS account, this is the way to configure the AWS CLI.
The user can review instructions here https://oicto.atlassian.net/wiki/spaces/MNR/pages/69437087/How+to+Create+temp+creds+for+AWS+CLI for installing saml2aws.
Configure AWS CLI
ask the user for the username and modify the below command accordingly:
saml2aws configure \
--idp-account="optum" \
--idp-provider="PingOne" \
--url="https://saml.emdeon.com/idp/startSSO.ping?PartnerSpId=urn%3Aamazon%3Awebservice" \
--username="your.username" \
--profile="optum-profile" \
--region="us-east-1" \
--session-duration=3600 \
--skip-prompt
and utilize runInTerminal to run the command or runCommands to run the command in the terminal.
working example saml2aws configure
saml2aws configure
# this will start a prompt, chose the values to the right of my examples below
Please choose a provider: PingOne
AWS Profile (saml) : <You can Say default or dmsdev or mpdev etc.. this will be the --profile value on your aws cli command>
URL: https://saml.emdeon.com/idp/startSSO.ping?PartnerSpId=urn%3Aamazon%3Awebservices
Username: <CHC Username you use to PingOne sign on>
Password: Just Hit enter to not save the password to your profile!! Don't make your workstation insecure !!
# if all goes well you should see something like this:
account {
URL: https://saml.emdeon.com/idp/startSSO.ping?PartnerSpId=urn%3Aamazon%3Awebservices
Username: pcorazao
Provider: PingOne
MFA: Auto
SkipVerify: false
AmazonWebservicesURN: urn:amazon:webservices
SessionDuration: 3600
Profile: default
RoleARN:
Region:
}
Troubleshooting
it may be necessary to clear cached SSO tokens:
rm -rf ~/.aws/config
then re-run the
saml2aws configure \
--idp-account="optum" \
--idp-provider="PingOne" \
--url="https://saml.emdeon.com/idp/startSSO.ping?PartnerSpId=urn%3Aamazon%3Awebservice" \
--username="your.username" \
--profile="optum-profile" \
--region="us-east-1" \
--session-duration=3600 \
--skip-prompt
finally login with the same profile you configured
saml2aws login --profile="optum-profile"

