Skip to content
A Slack deprovisioning driver for Mozilla IAM
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Slack Driver


This driver was created for the Mozilla IAM Project to satisfy an OKR around Slack user session expiration.


  1. Spin up on cron/event trigger.
  2. Scan the dynamodb table of all profiles.
  3. Build a group data structure from all profiles.
  4. Query the Slack API for all users profiles.
  5. Fetch apps.yml access control file.
  6. Disable any user without access to Slack through a Slack API call.
  7. Enable any previously-disabled user that is still present in Slack database.

NOTE: If you have Slack owners (not admins), these cannot be deactivated. It is recommended to create service-accounts for Slack owners, instead of using a normal / every-day user account. This is safer and cleaner, and you also will not run into this issue that way since the owner accounts being service-accounts, will not need to be deactivated.

Process Diagram



Insert credstash api key

You only need to do this once.

credstash -r us-west-2 put -a slack-driver.token @slack-driver-api-key.txt app=slack-driver

To obtain the token, see - TLDR:

  1. Create an app at
  2. Click "set permissions" and add scope admin
  3. Click "install app to workspace" and authorize at the prompt
  4. Copy the "oauth access token" and keep it safe. That is your token for this program.

Note that you may restrict which IP ranges can call the API with this token in Slack's app settings as well.

Deploy, test, etc

  1. cd slack_driver
  2. make for a list of targets, ex:
  • make python-venv if you don't have your own virtual environment scripts

  • make tests runs all tests

  • make deploy deploys the code in the dev environment

  • make remove-deploy deletes the dev deployment

  • make STAGE=prod deploy deploys the code in the prod environment

  • make logs just watch cloudwatch logs

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.