Tailscale Slack Accessbot

This is an example Slack Workflow App that allows users to use Slack to request instantaneous, time-bound access, known as just-in-time access, to Tailscale resources from other people in their organization.

Note that it relies on Tailscale custom device posture attributes API that might not be available on all pricing plans.

Deploy the Slack App for the first time

1. Confirm that the Slack Team to which you want to install the Tailscale Accessbot has a paid Slack plan which allows you to Deploy apps to Slack infrastructure.

2. Install Deno on your local machine following the Deno Installation instructions.

3. Install the Slack CLI on your local machine following the Slack Quickstart Guide (or just brew install slack-cli on macOS).

4. Authenticate with the Slack CLI by running slack login in your terminal:

   1. The output will contain a command like /slackauthticket NzY5YmViN2QtY2ZjZS12ZmRjLTlmYTktNjI0NjI5NWI1ODFk which you should paste into the Slack chat box.
   2. Approve the permissions that Slack will grant your CLI.
   3. Paste the confirmation code back into the Slack CLI's Enter challenge code prompt.

5. Add the Tailscale Accessbot code to a git repository of your own:

   1. Run the following commands to create a new directory for the accessbot code and config:

      mkdir tailscale-accessbot
      cd tailscale-accessbot

   2. Run the following commands to pull the Tailscale Accessbot code into your new directory:

      git init -b main
      git remote add upstream https://github.com/tailscale/accessbot.git
      git pull upstream main

   3. (Optional, recommended) Create a private git repository on GitHub, GitLab, or your preferred git host of choice, and push your code there:

      git remote add origin [email protected]:myorg/tailscale-accessbot
      git push -u origin main

6. Deploy the app to Slack:

   1. Run the following command to begin deploying your app to Slack, which will prompt you to select the Team to install to:

      slack deploy

      • If you receive an error containing app_approval_request_denied then your Slack team is configured with Require App Approval turned on but Allow members to request approval for apps turned off. Speak to one of your Slack team owners about changing these settings to allow you to proceed. They can either turn on the Allow members to request approval for apps setting or add your user to the Select App Managers to manage apps > Workspace Owners and selected members or groups option. Retry slack deploy after this change.
      • If you are asked whether you would like to request approval to install the app, select Yes. Once Slack tells you that approval has been granted, you may re-run slack deploy.

   2. Create the trigger when prompted.

   3. Slack will give you a Shortcut URL such as https://slack.com/shortcuts/Ft074AB2RW12/… which won't work in your web browser, but which can be used within the Slack app. Paste the Shortcut URL from your terminal into a Slack chatroom and it will render a Start Workflow button:

      

   4. Selecting the Start Workflow button will show the following error because we are yet to connect it to Tailscale:

      

   5. The Slack CLI will have created a .slack directory containing apps.json and config.json files. These contain the app identifiers that allow the Slack CLI to update the app later. You should now git commit these files and if backing up to a remote repository, git push.

7. Connect the app to Tailscale:

   1. Generate an OAuth client in Tailscale with the devices:core:read and devices:posture_attributes scopes:

      

   2. Run the following command from your accessbot directory, using the OAuth Client ID in place of <client-id>, and selecting the appropriate team when prompted:

      slack env add TAILSCALE_CLIENT_ID <client-id>

   3. Run the following command from your accessbot directory, using the OAuth Client secret in place of <secret>, and selecting the appropriate team when prompted:

      slack env add TAILSCALE_CLIENT_SECRET <secret>

   4. Going back to Slack, selecting the Start Workflow button again should now present the Accessbot screen:

      
      • An alternative way to trigger the workflow is to start typing its name in the "slash command" pop-up menu that you should see after pressing the "/" key.

   5. Any errors that occur during the operation of the Workflow will be sent to you in Slack, or can be inspected on demand using slack activity, or watched in real-time using slack activity --tail.

   6. Proceed to the next section to configure the available access profiles and update your app.

Configure profiles

Configuration of Tailscale Access profiles is done by editing config.ts. All available configuration options can be seen in the schema under config.ts.

An example of a minimal configuration can begin as follows:

export const config: Config = {
  profiles: [
    {
      attribute: "custom:prodAccess",
      description: "Production",
      notifyChannel: "C06TH49GKHC",
      canSelfApprove: true,
      approverEmails: [
        "[email protected]",
        "[email protected]",
        "[email protected]",
      ],
    },
  ],
} as Config;

See the type Profile declaration at the bottom of config.ts for a description of the different fields available in this config.

After changing config.ts, you must run another slack deploy to see the config update in the app. It is recommended that you git commit and git push at this point too.

Slack documentation has instructions on automatic deployment of the workflow using Github Actions.

Use the attributes as part of network policy

After the workflow has been configured and deployed, you can start using attributes corresponding to the configured access profiles as part of your network policy.

For example, the custom:prodAccess attribute managed by the workflow can be referenced by a posture and required for production access:

"postures": {
    "posture:prodAccess": ["custom:prodAccess == true"],
},
"acls": [
    {
        "action": "accept",
        "src": ["group:dev"],
        "dst": ["tag:production"],
        "srcPosture": ["posture:prodAccess"]
    },
],

See the Device Posture topic and the tailnet policy file syntax topic for more information about postures and posture conditions.

Develop with the accessbot locally

You can run the workflow locally, before deploying it to Slack's infrastructure.

First add the Tailscale Client ID and Secret from the previous step to a .env file in the root of the project:

TAILSCALE_CLIENT_ID=abc1234CNTRL
TAILSCALE_CLIENT_SECRET=tskey-client-abc1234CNTRL-qwerty1234...

Then you can run the application using the slack CLI. You'll know an app is the development version if the name has the string (local) appended:

# Run app locally
slack run

Connected, awaiting events

To stop running locally, press <CTRL> + C to end the process.