search

onelogin / onelogin-python-aws-assume-role

MIT License
58 stars 51 forks source link

Insufficient permissions when running inside docker container #71

Open jsalatiel opened 2 years ago

jsalatiel commented 2 years ago

I am trying to run this inside a docker container, but it always fails before asking for the OTP. The same command line works just fine outside the container. I tried adding all capabilities and also run as privileged and it still does not work. Any ideas ?

How to reproduce:

docker run --rm -it almalinux:8 /bin/bash
yum install python3-pip -y
pip3 install onelogin-aws-assume-role
onelogin-aws-assume-role -i REDACTED -s REDACTED -d REDACTED -a REDACTED --aws-account-id REDACTED  --aws-region us-east-1 -u user@domain.redacted --onelogin-password 'REDACTED'

Error message:

OneLogin AWS Assume Role Tool

Traceback (most recent call last):
  File "/usr/local/bin/onelogin-aws-assume-role", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/site-packages/aws_assume_role/aws_assume_role.py", line 661, in main
    result = get_saml_response(client, username_or_email, password, app_id, onelogin_subdomain, ip, mfa_verify_info, cmd_otp)
  File "/usr/local/lib/python3.6/site-packages/aws_assume_role/aws_assume_role.py", line 256, in get_saml_response
    raise Exception(error_msg)
Exception: 

Error 401. Insufficient Permission

Running the same command outside the container will show:

OneLogin AWS Assume Role Tool

MFA Required
Authenticate using one of these devices:
-----------------------------------------------------------------------
 0 | Google Authenticator
-----------------------------------------------------------------------
Enter the OTP Token for Google Authenticator:
jsalatiel commented 1 year ago

Still affects 1.10.1

jsalatiel commented 1 year ago

@pitbulk Would you have any idea what could be causing this ?

gkhaburzaniya-onelogin commented 1 year ago

We can't reproduce

Just tried

docker run --rm -it almalinux:8 /bin/bash
yum install python3-pip -y
pip3 install onelogin-aws-assume-role
onelogin-aws-assume-role -i REDACTED -s REDACTED -d REDACTED -a REDACTED --aws-account-id REDACTED  --aws-region us-east-1 -u user@domain.redacted --onelogin-password 'REDACTED'

Worked for us.

jsalatiel commented 1 year ago

Is there anyway that i can increase debug level for this? It makes no sense for me work outside a container but not inside.

jsalatiel commented 1 year ago

For those having the same problem. The only way that I was able to finally make it work inside a container was pinning to onelogin-aws-assume-role==1.9.0 onelogin==2.0.3

jsalatiel commented 1 year ago

Actually I think I should reopen this because it is clearly a bug in newer versions. @gkhaburzaniya-onelogin I have absolutely no idea why it is working for you. I asked several co-workers to test itand they all face the same problem on the same container you said it works.

Failing on new versions: image

Working pinned to onelogin-aws-assume-role==1.9.0 and onelogin==2.0.3 image

eriktalvi commented 1 year ago

There are several parts to this implementation. You need to have the connector in the OneLogin Portal correctly configured. We do not have enough information with just your github username to look at your logs or your configuration. But we have used the code you provided and a correctly configured aws connector to validate that your code can work as provided. This means that there is a misconfiguration on your end @jsalatiel.

If you would like OneLogin to do some deeper debugging about how your account is actually configured please reach out via an official support channel and ask them to forward it on to me.

Your provided code was validated using: onelogin==2.0.4 onelogin-aws-assume-role==1.10.1

jsalatiel commented 1 year ago

Thanks. I'll do that.

eriktalvi commented 1 year ago

Got it!