Simply cannot find a way to pass --identity-provider-configuration Metadata in a way the CLI will allow... It wants it as a string, however once that's satisfied it will not see it as valid JSON. Been bangin my head on this for ages trying to find a combination of quotes and escaped-quotes that'll work and no joy in both Powershell and Bash... is it really possible?
aws healthlake create-fhir-datastore
--region us-east-1
--datastore-name "MyHealthLakeDataStore"
--datastore-type-version R4
--preload-data-config PreloadDataType="SYNTHEA"
--sse-configuration "{
\"KmsEncryptionConfig\": {
\"CmkType\": \"CUSTOMER_MANAGED_KMS_KEY\",
\"KmsKeyId\": \"arn:aws:kms:us-east-1:082955544667:key/3d8ad844-1f5d-4536-94e1-233bfc480ec8\"
}
}"
--identity-provider-configuration "{
\"AuthorizationStrategy\": \"SMART_ON_FHIR_V1\",
\"FineGrainedAuthorizationEnabled\": true,
\"IdpLambdaArn\": \"arn:aws:lambda:us-east-1:082955544667:function:HealthLakeJWTdecode\",
\"Metadata\": {
\"issuer\":\"https://ehr.wellmindhealth.com\",
\"jwks_uri\":\"https://ehr.wellmindhealth.com/.well-known/jwks.json\",
\"authorization_endpoint\":\"https://ehr.wellmindhealth.com/auth/authorize\",
\"token_endpoint\":\"https://ehr.wellmindhealth.com/auth/token\",
\"token_endpoint_auth_methods_supported\":[\"client_secret_basic\",\"foo\"],
\"grant_types_supported\":[\"client_credential\",\"foo\"],
\"registration_endpoint\":\"https://ehr.wellmindhealth.com/auth/register\",
\"scopes_supported\":[\"openId\",\"profile\",\"launch\"],
\"response_types_supported\":[\"code\"],
\"management_endpoint\":\"https://ehr.wellmindhealth.com/user/manage\",
\"introspection_endpoint\":\"https://ehr.wellmindhealth.com/user/introspect\",
\"revocation_endpoint\":\"https://ehr.wellmindhealth.com/user/revoke\",
\"code_challenge_methods_supported\":[\"S256\"],
\"capabilities\":[\"launch-ehr\",\"sso-openid-connect\",\"client-public\"]
}
}"