# Notebook Server Setup

In order to configure the notebook server, first the latest version of the AWS CLI v2 needs to be installed.

First check to see if the v2 is already installed. Don't worry if it is not installed, the notebook will install it if it not.

## Validate the AWS CLI v2 is installed.

You should see the following result, or something similar, when the next cell is executed:
```
aws-cli/2.x.x Python/3.x.x Linux/4.14.287-148.504.amzn1.x86_64 exe/x86_64.amzn.2018 prompt/off
```
Validate that the return value starts with aws-cli-/2.x.x

In [19]:
!aws --version

aws-cli/1.24.10 Python/3.6.13 Linux/4.14.287-148.504.amzn1.x86_64 botocore/1.26.10


In [None]:
result = !aws --version
print(result[0])

if not "aws-cli/2" in result[0]:
    !curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
    !unzip -qq awscliv2.zip
    !sudo ./aws/install --update
    !rm -rf aws
    !rm awscliv2.zip

# Test SSO Login

The instance has all the permissions required, now run the login command for the `Jupyter-IR-ViewOnly` role and the loggin account.

In [16]:
import jupyter_aws_sso

import importlib
importlib.reload(jupyter_aws_sso)


jupyter_aws_sso.login("Jupyter-IR-ViewOnly")

[profile Jupyter-IR-ViewOnly-251344881676]
sso_start_url = https://d-9067615d56.awsapps.com/start
sso_region =us-east-1
sso_account_id = 251344881676
sso_role_name = Jupyter-IR-ViewOnly
region = us-east-1


If the windows doesn't automatically open, click on this https://device.sso.us-east-1.amazonaws.com/?user_code=LTFN-SFJW to activate the session


<IPython.core.display.Javascript object>

In [17]:
#session = boto3.Session(profile_name='ManagedPermissionSet-383086473915')
boto3.setup_default_session()
sts = boto3.client('sts')
sts.get_caller_identity()

{'UserId': 'AROATVBKSRAGLFBLNEXHW:sso_user',
 'Account': '251344881676',
 'Arn': 'arn:aws:sts::251344881676:assumed-role/AWSReservedSSO_Jupyter-IR-ViewOnly_457e6b5f2b32563a/sso_user',
 'ResponseMetadata': {'RequestId': 'cbe76b68-9d48-4d97-a458-bdc0bd18ef80',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'x-amzn-requestid': 'cbe76b68-9d48-4d97-a458-bdc0bd18ef80',
   'content-type': 'text/xml',
   'content-length': '474',
   'date': 'Thu, 27 Oct 2022 01:11:18 GMT'},
  'RetryAttempts': 0}}

In [18]:
! aws sts get-caller-identity


{
    "UserId": "AROATVBKSRAGLFBLNEXHW:sso_user",
    "Account": "251344881676",
    "Arn": "arn:aws:sts::251344881676:assumed-role/AWSReservedSSO_Jupyter-IR-ViewOnly_457e6b5f2b32563a/sso_user"
}


## Validate permissions to IAM Identity Center

The default profile needs access to the IAM identity center to create the profiles on the notebook server for the AWS CLI and SDK. The profiles allow the notebook to configure which profile will be used, allowing the notebooks to be used across accounts.

In the event that a profile is not configured on the notebook server, the notebook server will use the default profile to query  IAM Identity Center all the accounts and permission sets, and construct the profiles. This eliminates the need to call `aws configure sso` for every permutation of account and permission set.

If you get the error **ERROR: No Accounts Associated to upyter-IR-ViewOnly permission set.**, that means there are no AWS accounts associated with the **Jupyter-IR-ViewOnly** permission set. Go into the IAM Identity Center and associate the AWS account to the **Jupyter-IR-ViewOnly** permission set and a user or group.

In [None]:
sso_admin_client = session.client('sso-admin')
permission_sets = sso_admin_client.list_permission_sets(InstanceArn=sso_instance_arn)

test_account = ""

for permission_set in permission_sets["PermissionSets"]:
    permission_set_detail = sso_admin_client.describe_permission_set(
            InstanceArn=sso_instance_arn,
            PermissionSetArn=permission_set
        )
    accounts = sso_admin_client.list_accounts_for_provisioned_permission_set(
            InstanceArn=sso_instance_arn,
            PermissionSetArn=permission_set
        )
    if permission_set_detail["PermissionSet"]["Name"] == "Jupyter-IR-ViewOnly":
        if len(accounts["AccountIds"]) == 0:
            print(f'ERROR: No Accounts Associated to {permission_set_detail["PermissionSet"]["Name"]} permission set')
        test_account = accounts["AccountIds"][0]
    print(f'Permission Set: {permission_set_detail["PermissionSet"]["Name"]} - Accounts: {accounts["AccountIds"]}')
    

In [None]:
!aws sso logout

In [None]:
boto3.setup_default_session()
sts = boto3.client('sts')
try:
    sts.get_caller_identity()
    print("The logout FAILED")
except:
    print("The logout was successful")