[Parameter Store / Vets-API] Lighthouse Health FHIR API RSA key installation and configuration

[kreek]

Description

Installation of an RSA key that will be used when accessing the sandbox environment of Lighthouse's Health FHIR API from vets-api.

Background/context

The VA Mobile App, via the mobile API, has been approved by Lighthouse to access their Veterans Health API (FHIR) to retrieve immunizations records.

The next step is to generate an RSA key pair that will be used to authenticate with their sandbox authorization server. The private key should be installed and configured in a similar manner as the key for the HealthQuest app (vets-api-server-vagov-sandbox.yml etc).

The public key should be encoded as a JWK and sent to Beau Grantham beau.grantham@va.gov and the LH team and they'll provision us a new client for the API.

This slack thread has additional details and the mobile team was advised that they should generate the key pair and deliver it to Ops. The mobile team will also handle the JWK encoding and deliver that to Lighthouse.

Here's an example PR where this was done before

---

Tasks

• [ ] Create an IAM group for the VA Mobile team (@kreek, @jperk51)
• [ ] Create a IAM policy to allow this newly created group permission to write to a path in parameter store
• [ ] Render any assistance needed to ensure that this team can put their key in that path
• [ ] Operations to modify vets-api deployment to include the key and variables that are in new settings.yaml (similar to what was done in this pr)

Acceptance Criteria

• [ ] The key is installed and API requests to the Lighthouse Health FHIR API are successful (returning 200s)

[jhouse-solvd]

@kreek - We're acknowledging receipt of this and will get someone from the team to work on it during this sprint. We'll reach out with any questions. We'd like to give your team the ability to write to a path in parameter store so that you can manage these keys moving forward.

[kreek]

PWK has been sent over to Beau Grantham.

[kreek]

We'd like to give your team the ability to write to a path in parameter store so that you can manage these keys moving forward

@jhouse-solvd Do we have this access already? And if yes, is there documentation on how to do so?

[jhouse-solvd]

@kreek - Not yet, but we are picking this up this sprint and someone from our team will reach out soon to provide more information. Thanks for the patience and we'll be in touch soon.

[jhouse-solvd]

@kreek - Alastair, does your team currently have AWS access? We just want to ensure that we're providing the correct guidance, or helping to manage this for you if not.

[kreek]

@jhouse-solvd yes both myself and @jperk51 have AWS access.

[travis-newby]

Hi, @jhouse-solvd. For context, we're trying to launch a feature — requested by Charles — around immunizations by the end of our sprint (10/26). In order to do that, we'll need access this week. If that's not possible or you need me to talk to someone to help with priorities / top cover, please let me know.

[patrickvinograd]

I appear to have sufficient access to add this to ParameterStore, and can create the devops PR to link it into vets-api config. I hate to kick the can down the road but perhaps we get this parameter in place now to make that launch possible, and then try to solve the IAM self-sufficiency issue?

[travis-newby]

I don't want to kick it too far down the road. We should have prod creds to add soon.

[mydesignrocks]

Hello @travis-newby and @patrickvinograd - are you looking to get this updated referring to the right paramstore key (as soon as the paramstore gets updated with the right key) https://github.com/department-of-veterans-affairs/devops/blob/master/ansible/deployment/config/vets-api-server-vagov-sandbox.yml#L198

[travis-newby]

@mydesignrocks I'm looking to make sure @kreek and @jperk51 have permission to manage these keys, or that we understand the process for requesting management by someone else. Preferably the former.

[mydesignrocks]

Hi @travis-newby no rush but wondering if there is an update if y'all have the right permissions to manage the keys.

[travis-newby]

@kreek and @jperk51 can ya'll check to see if you have access?

[jperk51]

Yup, looks like I do

[kreek]

I'm getting an IAM error when accessing the parameter store User: arn:aws-us-gov:iam::008577686731:user/Alastair.Dawson is not authorized to perform: ssm:DescribeParameters on resource: arn:aws-us-gov:ssm:us-gov-west-1:008577686731:* because no identity-based policy allows the ssm:DescribeParameters action

[mydesignrocks]

@kreek - let me check your user and access permissions.

[kreek]

👋 @mydesignrocks any update on my access? Just checked and I'm still getting the same error.

[lexicalninja]

@mydesignrocks @jhouse-solvd @travis-newby Can someone please take a look at what is going on with Alastair's permissions? Everyone else seems to have been able to add creds and this is slowing down our ability to deliver.

Please let me know if you need anything else from us or if you need Alastair online to troubleshoot.

Thanks!

[mydesignrocks]

my apologies, @kreek - somehow missed through the cracks

[mydesignrocks]

@kreek now has the right access. Please confirm if this can be closed. thanks

[jhouse-solvd]

@kreek or @mydesignrocks -Please check off tasks and AC on this ticket as time allows, please. Then I'll review and close this one out. :) Thank you!

[oseasmoran73]

Closing ticket as it seems requirements were met and ticket is inactive. Please feel free to reopen if needed!

CC @jhouse-solvd