perlchild/accessbot

Manage access to strongDM resources via Slack

AccessBot

AccessBot is a chatbot that manages access to strongDM (SDM) resources, initially via Slack

Important: This repo hosts two versions of AccessBot with the same set of funcionalities and corresponding documentation:

• v1.0.x (branch). Uses the old Slack API (RTM) - requires a Slack Classic App
• v1.1.x (main). Uses the new Slack API (Bolt)

We've observed some problems with v1.1.x, please use v1.0.x until further notice

Table of Contents

• Installation
• Getting Started
• Contributing
• Support

Installation

In order to install AccessBot, you need to provide the following required variables:

• SLACK_APP_TOKEN. Slack App-Level Token
• SLACK_BOT_TOKEN. Slack Bot User OAuth Token
• SDM_ADMINS. List of Slack admins, although it's not required, this users are usually SDM admins too
• SDM_API_ACCESS_KEY. SDM API Access Key
• SDM_API_SECRET_KEY. SDM API Access Key Secret

For a full list of configuration variables please read: Configure AccessBot

Detailed instructions about how to configure Slack and SDM for AccessBot can be found here:

• Configure Slack
• Configure SDM

For starting the bot enter all required variables in docker-compose.yaml and execute:

./docker-start.sh

The bot would start running in the background. In order to check logs.

docker logs accessbot_accessbot_1

If you want to install and execute the bot locally, please refer to: Configure Local Environment

Getting Started

Once AccessBot is up and running, you can add it as an app or to a channel and start using it!

First, check the bot and Slack interconnectivity state:

You would expect to see no error in your logs and the messages Yes I am alive and plugin available.

If that's the case, enter any of the following commands:

• help. Show available commands
• show available resources. Show available resources - all or the ones assigned to a role
• access to resource-name. Grant temporary access to a resource
• show available roles. Show all roles
• access to resource-name. Grant temporary access to all resources assigned to a role

For example:

Optional access configuration

1. Set SDM_AUTO_APPROVE_ALL=true to disable approval entirely.
2. Use the strongDM CLI or SDK to add the following tags to individual resources:
   • SDM_AUTO_APPROVE_TAG=auto-approve -- automatic approval for this resource
   • SDM_HIDE_RESOURCE_TAG=hide-resource -- resource is not displayed via show command; any access request auto-fails

For more information, please refer to the detailed guide for access configuration.

Troubleshooting

A list of typical issues and resolutions can be found here.

Contributing

In case you want to contribute to the project, please check our guidelines.

Support

In case you need support, please check our Frequently Asked Questions and support documents.