Skip to content

aws-login

helps configure the AWS cli for Optum and CHC Optum environments

IDE:
claude
codex
vscode
Version:
0.0.0

Help the user configuring the aws cli for Optum aws, follow the instructions below.

Optum Setup

Explain to the user to use the following values:

when prompted for SSO session name, use optumaws-dev or whatever you want to call it when prompted for SSO start URL, use: https://optumcloud.awsapps.com/start/# when prompted for SSO region, use: us-east-1 when prompted registration scopes, just hit enter to accept the default when prompted for default client region, use: us-east-1 when prompted for default format region, use: text, table or json as you prefer

ensure we use the value: "https://optumcloud.awsapps.com/start/#"

rm -rf ~/.aws
mkdir -p ~/.aws
aws configure sso --profile default --region us-east-1

you can also use the script scripts/configure-aws-cli-optum.sh to help this process.

login

after a successful configuration, the user can simply run:

aws sso login

to re authenticate.

Troubleshooting

it may be necessary to clear cached SSO tokens:

rm -rf ~/.aws/config

then re-run the

aws configure sso --profile default --region us-east-1

command above.

have the user review the following instructions:

Use: https://console.hcp.uhg.com/products/dashboard/compute/public-cloud-account-management/jitdashboardview to activate JIT session.

Read: https://docs.hcp.uhg.com/public-cloud/activating-pim-on-hcp-console

Read: https://docs.hcp.uhg.com/public-cloud/activating-pim-for-aws-gcp

or https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadgroup (ensure you are logged in as optumcloud.com)

Finally you should be able to login to https://optumcloud.awsapps.com/start and access your JIT account.

Configure AWS CLI

Explain to the user to use the following values:

when prompted for SSO session name, use optumaws-dev or whatever you want to call it when prompted for SSO start URL, use: https://optumcloud.awsapps.com/start/# when prompted for SSO region, use: us-east-1 when prompted registration scopes, just hit enter to accept the default when prompted for default client region, use: us-east-1 when prompted for default format region, use: text, table or json as you prefer

ensure we use the value: "https://optumcloud.awsapps.com/start/#"

rm -rf ~/.aws
mkdir -p ~/.aws
aws configure sso --profile default --region us-east-1

you can also use the script scripts/configure-aws-cli-optum.sh to help this process.

login

after a successful configuration, the user can simply run:

aws sso login

to re authenticate.

Troubleshooting

it may be necessary to clear cached SSO tokens:

rm -rf ~/.aws/config

then re-run the

aws configure sso --profile default --region us-east-1

command above.

Legacy CHC Optum Setup

If the user is using a Change Healthcare AWS account, this is the way to configure the AWS CLI.

The user can review instructions here https://oicto.atlassian.net/wiki/spaces/MNR/pages/69437087/How+to+Create+temp+creds+for+AWS+CLI for installing saml2aws.

Configure AWS CLI

ask the user for the username and modify the below command accordingly:

saml2aws configure \
  --idp-account="optum" \
  --idp-provider="PingOne" \
  --url="https://saml.emdeon.com/idp/startSSO.ping?PartnerSpId=urn%3Aamazon%3Awebservice" \
  --username="your.username" \
  --profile="optum-profile" \
  --region="us-east-1" \
  --session-duration=3600 \
  --skip-prompt

and utilize runInTerminal to run the command or runCommands to run the command in the terminal.

working example saml2aws configure

saml2aws configure
# this will start a prompt, chose the values to the right of my examples below
Please choose a provider: PingOne
AWS Profile (saml) : <You can Say default or dmsdev or mpdev etc.. this will be the --profile value on your aws cli command>
URL: https://saml.emdeon.com/idp/startSSO.ping?PartnerSpId=urn%3Aamazon%3Awebservices
Username: <CHC Username you use to PingOne sign on>
Password: Just Hit enter to not save the password to your profile!!  Don't make your workstation insecure !!
# if all goes well  you should see something like this:
account {
  URL: https://saml.emdeon.com/idp/startSSO.ping?PartnerSpId=urn%3Aamazon%3Awebservices
  Username: pcorazao
  Provider: PingOne
  MFA: Auto
  SkipVerify: false
  AmazonWebservicesURN: urn:amazon:webservices
  SessionDuration: 3600
  Profile: default
  RoleARN:
  Region:
}

Troubleshooting

it may be necessary to clear cached SSO tokens:

rm -rf ~/.aws/config

then re-run the

saml2aws configure \
  --idp-account="optum" \
  --idp-provider="PingOne" \
  --url="https://saml.emdeon.com/idp/startSSO.ping?PartnerSpId=urn%3Aamazon%3Awebservice" \
  --username="your.username" \
  --profile="optum-profile" \
  --region="us-east-1" \
  --session-duration=3600 \
  --skip-prompt

finally login with the same profile you configured

saml2aws login --profile="optum-profile"