Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

Latest commit

 

History

History
172 lines (117 loc) · 9.4 KB

README.md

File metadata and controls

172 lines (117 loc) · 9.4 KB

AccessBot

GitHub release (latest by date)


Important Notice: AccessBot End-of-Life and Alternatives

Thank you for your interest in AccessBot. While we appreciate the positive feedback it has received, we have decided to discontinue development and support for AccessBot in favor of focusing on our core product offerings.

AccessBot has been superseded by "Integration for Slack," included within the StrongDM Enterprise Bundle and paired with the "Access Workflows" feature. This integration provides similar functionality to AccessBot, allowing users to easily manage access requests and approvals directly within Slack.

Here's what this means for you:

  • Latest release of AccessBot v2.0.79 will continue to function as long as the Slack API has no changes, but no further development or bug fixes will be implemented.
  • No further Support will be provided for accessbot issues. Troubleshooting page linked below can be of help.
  • We recommend transitioning to the "Integration for Slack" as your primary tool for managing access requests.
  • If you have any questions or concerns about this transition, please don't hesitate to contact us.

We're excited about the possibilities that "Integration for Slack" and "Access Workflows" offer, and we believe they represent a significant improvement over AccessBot. We hope you'll explore these features and see how they can benefit your organization.

Additional Resources:

Thank you for your understanding.

Sincerely,
The StrongDM Team


Legacy information

The Slack Classic implementation has been deprecated. In case you're still using it, please migrate ASAP to the Slack Bolt implementation.*

AccessBot is a chatbot that manages access to strongDM (SDM) resources through temporary grants. Some main features are: you can have a manual approval flow and an automated one for specific resources (or all of them if you want); you can configure specific approvers for specific resources; you can configure what resources can be requested, or hide specific ones; the users can specify the duration of the temporary grants and even the reason behind it. The resources can also be accessed by role grants, which means that the user can request access to a role, and they will have temporary access to all resources from that role.

AccessBot can be installed on Slack or MS Teams.

A curated version of the documentation can be found here.

You can also watch our demo video of AccessBot on YouTube.

Table of Contents

Configuration

In order to deploy AccessBot, first you need to define the following required environment variables:

  • SDM_BOT_PLATFORM. The platform that the bot will be installed on, i.e. "ms-teams", "slack" or blank (which will be interpreted as Slack by default)
  • SDM_ADMINS. List of admin users who will manage the bot and approve grant requests (by default).
    • For Slack platform: use the username (not Display Name) of each admin, e.g. @user1 @user2 (See this section for more.)
    • For MS Teams platform: use the email addresses of all the admins
  • SDM_API_ACCESS_KEY. SDM API Access Key
  • SDM_API_SECRET_KEY. SDM API Access Key Secret

Slack Installation

For Slack platform, you need to provide the following required variables:

  • SLACK_APP_TOKEN. Slack App-Level Token
  • SLACK_BOT_TOKEN. Slack Bot User OAuth Token

MS Teams Installation

For MS Teams platform, you need to provide the following required variables:

  • AZURE_APP_ID. Azure Bot application ID
  • AZURE_APP_PASSWORD. Azure Bot application password
  • AZURE_AD_TENANT_ID_. Azure Active Directory Tenant ID

For a full list of configuration variables please read: Configure AccessBot

Detailed instructions about how to configure SDM and a platform (Slack, Slack Classic or MS Teams) for AccessBot can be found here:

Deploy

AccessBot is available as a Docker image. For deploying it we recommend you to use a container orchestrator, e.g. Kubernetes. Here's a k8s deployment descriptor that you can use as a reference. You can also use Helm to deploy AccessBot, learn more.

Most customers deploy AccessBot as a k8s deployment of one replica using the bot's healthcheck endpoint, so the Orchestrator ensures that there's always an instance of the bot available. At the moment, the bot doesn't support load balancing nor slack webhooks.

Refer to this docs to learn more about the AccessBot deployment infrastructure.

Using disposable containers

If you're using technologies that dispose containers, e.g. Fargate, and manual approvals, you should enable state handling via SDM_ENABLE_BOT_STATE_HANDLING to persist manual grant requests. Please refer to the documentation for more details of this variable.

To make the persistency work in this scenario, you need to mount a folder pointing to the path /errbot/data/grant_requests inside the container. This folder will store the grant requests state, persisting the data while the containers are disposed and redeployed.

If you decide to deploy on Fargate and need some help, please refer to the Fargate deployment docs.

Run locally

Using Docker Compose

For starting the bot with docker compose. Enter all required variables in the docker-compose.yaml file and execute:

docker compose build --no-cache 
docker compose up -d

Then, the bot should start running in the background. If you want to check the logs you can run the following command:

$ docker logs accessbot_accessbot_1

Without Docker

If you want to install and execute the bot locally without Docker, please refer to: Configure Local Environment If you want to expose a Prometheus endpoint with AccessBot Metrics, please refer to Configure Monitoring

Getting Started

Once AccessBot is up and running, you can add it as an app or to a channel and start using it!

First, check the bot and Slack interconnectivity state:

image

You would expect to see no error in your logs and the messages Yes I am alive and plugin available.

If that's the case, enter any of the following commands:

  • help. Show available commands
  • show available resources [--filter expression]. Show available resources - all or a filtered subset. Filters are optional. Please refer to the following doc for getting the list of available filters.
  • access to resource-name [--reason text] [--duration duration]. Grant temporary access to a resource. Reason and Duration are optional.
  • show available roles. Show all available roles*
  • access to resource-name. Grant temporary access to all resources assigned to a role

NOTE: All AccessBot commands are case-insensitive.

For example:

image

Optional access configuration

Here are some of the most used variables:

  1. Set SDM_AUTO_APPROVE_ALL=true to disable approval entirely.
  2. Use the strongDM CLI or SDK to add the following tags to individual resources:
    • SDM_AUTO_APPROVE_TAG=auto-approve -- automatic approval for this resource
    • SDM_ALLOW_RESOURCE_TAG=allow-resource -- resource is displayed via show command; any access request auto-fails if the resource does not have the tag
    • SDM_HIDE_RESOURCE_TAG=hide-resource -- resource is not displayed via show command; any access request auto-fails
  3. Use the strongDM CLI or SDK to add the following tags to individual roles:
    • SDM_AUTO_APPROVE_ROLE_TAG=auto-approve -- automatic approval for this role
    • SDM_ALLOW_ROLE_TAG=allow-role -- role is displayed via show command; any access request auto-fails if the role does not have the tag

For more information and a full list of variables, please refer to the detailed guide for access configuration.

Troubleshooting

A list of typical issues and resolutions can be found here.

Contributing

In case you want to contribute to the project, please check our guidelines.

Support

In case you need support, please check our Frequently Asked Questions and support documents.