Configure Multiple profile for Aws Azure login.

To alleviate the certain limitations with Sail Point used in RSI Portal, RSC Team will be Group
AWS Management Console Roles based on AWS Accounts owned by Business Units and
created separate applications for each Business Unit in RSI Portal. All PHC Owned AWS
Accounts will be grouped under “PHC-APOLLO”in RSI Portal (https://rsiportal.roche.com)
with the following logo.

PHC Accounts in POC accounts are already migrated earlier this month. PHC Accounts in
Sandbox and UAT environments will be migrated during the last week of April 2022 and
Production accounts in the following weeks.

To create session tokens using Azure AWS Client, additional configuration are required to
make aws-azure-login client to work.. After installing AWS Azure Login client, we can create
additional profiles to access the management console of AWS accounts. YOu will be able to
configure multiple profiles to access accounts belonging to different Business Units (e.g.
Accounts belonging to PHC, gRED, pRED, PD Business Units).

With successful installation of AWS Azure login script, default profile will be configured. We
can configure multiple profiles to switch between BU roles. Please follow the steps for
configuration.

1. open cmd prompt and type below commands.

2. aws-azure-login --configure --profile <name> “Please give useful name the profile”.

e.g.: aws-azure-login --configure --profile phc

3. You will be asked to enter TenendId and Application id.

4. Azure Tenant Id value is same for all the azure applications. Enter the following string
value as Tenant ID and enter
 c8036283-1408-4dc8-b870-31e789a0a528

5. Azure Application Id will be different for each BU as listed below. Enter one of the
values from the Below. For PHC BU, Enter “f5ad20c2-6af2-4a4b-b8fc-dea190b16f17”

APPLICATON
ID
NAME
RSC-AWS 23105c06-c9f1-4c85-a654-3c32a9dc197c
PDAA d4c9b624-6bd8-4516-9e01-69806f1ddb40
GIS a134e6d3-6e9b-45a0-92be-42b2664a0b78
PRED a3124e43-bf2c-4006-a62d-44bb3a39accf
PD 6aa700ca-98b2-4436-ae93-a7efc1b3c1e8
RSS e63040ce-6af7-48f3-a364-2cc310e108f0
PT/PTS 7cbc382f-6f9b-4477-b729-fb9a5c55c959
DIS ea8e3d30-914d-4c25-b23f-d4f201f657d8
PTI 9759b869-27c1-4c21-b566-5f4ff4c8cbee
RMS c71a3787-fbb4-4770-ae16-74f8346fe16f
PTD a4d328ff-dbb2-41ca-8531-0b7bb78f6453
PHC f5ad20c2-6af2-4a4b-b8fc-dea190b16f17
PDIX 3fed0143-972b-43d3-a16c-515cec8e6f35
GRED 80a26c65-57d9-4f3d-93a4-f49b4d7d2d41
PDIX 3fed0143-972b-43d3-a16c-515cec8e6f35
GRED 80a26c65-57d9-4f3d-93a4-f49b4d7d2d41

6. Then press “enter” to all the remaining input prompts to accept default values..
7. Once successful configured the new profile run “aws-azure-login --mode=gui --profile
phc” cmd to call the profile based script execution.

8.

After this is set up, awscli commands will work with –profile option. Eg. as below

aws sts get-caller-identity –profile phc

aws s3 ls –profile phc

9. If you are going to use only specific set of accounts, (e.g. PHC accounts), you can set up
“default” profile with APP ID of PHC accounts (f5ad20c2-6af2-4a4b-b8fc-dea190b16f17).
In that case, you don’t have to use the –profile option when running aws client
command.
a. aws-azure-login --configure --profile default
i. TenentID: c8036283-1408-4dc8-b870-31e789a0a528
ii. App ID: f5ad20c2-6af2-4a4b-b8fc-dea190b16f17
Default profile is created with PHC App ID
b. aws-azure-login --mode=gui
c. aws sts get-caller-identity ← profile option not required for PHC accounts
d. aws s3 ls ← profile option not required for PHC accounts