Using the OCI CLI with a federated user from a Docker container (or over ssh)

The OCI team just announced the ability for federated users to use the CLI.

The TL;DR description of the feature is that users don't have to create a key pair and upload it into OCI. Instead you can just run "oci session authenticate" and the CLI will open your browser and push you through a (much) simpler process that basically amounts to just logging in and clicking yes.

If you use the CLI directly on your laptop this works swimmingly. But what if you want to run the CLI from inside a Docker container or on a remote server over ssh?

Read on for a trick you can use to do that!

The first thing we need is a Docker container to contain the CLI. Luckily Jason Poon already made one for us and published it to GitHub and Docker Hub. And it's already been updated to the version of the CLI that adds support for federated users.

You can get your own copy by pull it from Docker Hub by running "docker pull jpoon/oci-cli".

If you prefer to build your own image just do a "git clone git@github.com:jpoon/oci-cli-docker.git" followed by "docker build -t oci-cli .".

Either way you can then run it using the commands Jason gave - usually "docker run --rm -it -v ${HOME}/.oci:/root/.oci --entrypoint bash jpoon/oci-cli" (or ... "--entrypoint bash oci-cli" if you built your own).

For those who aren't Docker experts what that command does is it spins up a copy of the image in a container locally on your laptop, connects ~/.oci to /root/.oci in the container, and then gives you an interactive bash prompt in your terminal.

Give that a try and then run "oci -v" in there and you should see something like this:

If you try to run "oci session authenticate" at this point you'll get a message telling you to open a browser and go to a specific URL. But don't do that yet - you'll get an error that your browser couldn't reach port http://localhost:8181.

Federated user support in the OCI CLI works by spinning up a teeny tiny web server that listens on port 8181. When you run "oci session authenticate" the CLI kicks off an OAuth Implicit Grant flow (you can actually see as "response_type=token" in the URL). And when you're done authenticating to OCI the OAuth server redirects your browser back to that little web server which consumes the Access Token.

If you want to do that from a CLI running inside a Docker container you'll need to do forward port 8181 on your computer to the container. Do that by adding "-p 8181:8181" to your Docker run command.

Like so:

docker run --rm -it -v ${HOME}/.oci:/root/.oci -p 8181:8181 --entrypoint bash oci-cli

Then inside the container run "oci session authenticate" and, after copy/pasting the URL into your browser and logging in, you'll be told you're all set.

At that point the CLI works as normal.

You can do the same thing with ssh by adding "-L 8181:localhost:8181" to your arguments. So for example:

$ ssh -L 8181:localhost:8181 opc@myhost.oracleateam.com