Insufficient permissions when running inside docker container

[jsalatiel]

I am trying to run this inside a docker container, but it always fails before asking for the OTP. The same command line works just fine outside the container.
I tried adding all capabilities and also run as privileged and it still does not work.
Any ideas ?

How to reproduce:

docker run --rm -it almalinux:8 /bin/bash
yum install python3-pip -y
pip3 install onelogin-aws-assume-role
onelogin-aws-assume-role -i REDACTED -s REDACTED -d REDACTED -a REDACTED --aws-account-id REDACTED  --aws-region us-east-1 -u user@domain.redacted --onelogin-password 'REDACTED'

Error message:

OneLogin AWS Assume Role Tool

Traceback (most recent call last):
  File "/usr/local/bin/onelogin-aws-assume-role", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/site-packages/aws_assume_role/aws_assume_role.py", line 661, in main
    result = get_saml_response(client, username_or_email, password, app_id, onelogin_subdomain, ip, mfa_verify_info, cmd_otp)
  File "/usr/local/lib/python3.6/site-packages/aws_assume_role/aws_assume_role.py", line 256, in get_saml_response
    raise Exception(error_msg)
Exception: 

Error 401. Insufficient Permission

Running the same command outside the container will show:

OneLogin AWS Assume Role Tool


MFA Required
Authenticate using one of these devices:
-----------------------------------------------------------------------
 0 | Google Authenticator
-----------------------------------------------------------------------
Enter the OTP Token for Google Authenticator:

[jsalatiel]

Still affects 1.10.1

[jsalatiel]

@pitbulk Would you have any idea what could be causing this ?

[gkhaburzaniya-onelogin]

We can't reproduce

Just tried

docker run --rm -it almalinux:8 /bin/bash
yum install python3-pip -y
pip3 install onelogin-aws-assume-role
onelogin-aws-assume-role -i REDACTED -s REDACTED -d REDACTED -a REDACTED --aws-account-id REDACTED  --aws-region us-east-1 -u user@domain.redacted --onelogin-password 'REDACTED'

Worked for us.

[jsalatiel]

Is there anyway that i can increase debug level for this? It makes no sense for me work outside a container but not inside.

[jsalatiel]

For those having the same problem. The only way that I was able to finally make it work inside a container was pinning to
onelogin-aws-assume-role==1.9.0
onelogin==2.0.3

[jsalatiel]

Actually I think I should reopen this because it is clearly a bug in newer versions.
@gkhaburzaniya-onelogin I have absolutely no idea why it is working for you. I asked several co-workers to test itand they all face the same problem on the same container you said it works.

Failing on new versions:

Working pinned to onelogin-aws-assume-role==1.9.0 and onelogin==2.0.3

[eriktalvi]

There are several parts to this implementation. You need to have the connector in the OneLogin Portal correctly configured. We do not have enough information with just your github username to look at your logs or your configuration. But we have used the code you provided and a correctly configured aws connector to validate that your code can work as provided. This means that there is a misconfiguration on your end @jsalatiel.

If you would like OneLogin to do some deeper debugging about how your account is actually configured please reach out via an official support channel and ask them to forward it on to me.

Your provided code was validated using:
onelogin==2.0.4 onelogin-aws-assume-role==1.10.1

[jsalatiel]

Thanks. I'll do that.

[eriktalvi]

Got it!