This driver was created for the Mozilla IAM Project to satisfy an OKR around Slack user session expiration.
- Spin up on cron/event trigger.
- Scan the dynamodb table of all profiles.
- Build a group data structure from all profiles.
- Query the Slack API for all users profiles.
apps.ymlaccess control file.
- Disable any user without access to Slack through a Slack API call.
- Enable any previously-disabled user that is still present in Slack database.
NOTE: If you have Slack owners (not admins), these cannot be deactivated. It is recommended to create service-accounts for Slack owners, instead of using a normal / every-day user account. This is safer and cleaner, and you also will not run into this issue that way since the owner accounts being service-accounts, will not need to be deactivated.
Insert credstash api key
You only need to do this once.
credstash -r us-west-2 put -a slack-driver.token @slack-driver-api-key.txt app=slack-driver
To obtain the token, see https://api.slack.com/scim - TLDR:
- Create an app at https://api.slack.com/apps/new
- Click "set permissions" and add scope
- Click "install app to workspace" and authorize at the prompt
- Copy the "oauth access token" and keep it safe. That is your token for this program.
Note that you may restrict which IP ranges can call the API with this token in Slack's app settings as well.
Deploy, test, etc
makefor a list of targets, ex:
make python-venvif you don't have your own virtual environment scripts
make testsruns all tests
make deploydeploys the code in the dev environment
make remove-deploydeletes the dev deployment
make STAGE=prod deploydeploys the code in the prod environment
make logsjust watch cloudwatch logs