{"id":18952391,"url":"https://github.com/tailscale/accessbot","last_synced_at":"2025-07-16T11:04:46.944Z","repository":{"id":238816973,"uuid":"797157275","full_name":"tailscale/accessbot","owner":"tailscale","description":null,"archived":false,"fork":false,"pushed_at":"2025-01-27T10:58:48.000Z","size":760,"stargazers_count":20,"open_issues_count":1,"forks_count":5,"subscribers_count":21,"default_branch":"main","last_synced_at":"2025-04-11T16:18:52.942Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tailscale.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-07T09:55:48.000Z","updated_at":"2025-04-11T06:41:52.000Z","dependencies_parsed_at":"2024-11-08T13:38:45.280Z","dependency_job_id":"3616a105-0fac-4abd-9aba-140ab1b44e1b","html_url":"https://github.com/tailscale/accessbot","commit_stats":null,"previous_names":["tailscale/accessbot"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Faccessbot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Faccessbot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Faccessbot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Faccessbot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tailscale","download_url":"https://codeload.github.com/tailscale/accessbot/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249182556,"owners_count":21226090,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T13:33:05.370Z","updated_at":"2025-04-16T01:33:54.249Z","avatar_url":"https://github.com/tailscale.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Tailscale Slack Accessbot\n\nThis is an example Slack Workflow App that allows users to use Slack to request\ninstantaneous, time-bound access, known as just-in-time access, to Tailscale\nresources from other people in their organization.\n\n\u003cimg src=\"images/tailscale-access-requesting-access.png\" alt=\"Tailscale Access request access form in Slack\" width=\"400\"/\u003e\n\nNote that it relies on Tailscale\n[custom device posture attributes](https://tailscale.com/api#tag/devices/POST/device/{deviceId}/attributes/{attributeKey})\nAPI that might not be available on all pricing plans.\n\n## Deploy the Slack App for the first time\n\n1. Confirm that the Slack Team to which you want to install the Tailscale\n   Accessbot has a paid [Slack plan](https://app.slack.com/plans/) which allows\n   you to **Deploy apps to Slack infrastructure**.\n\n1. Install [Deno](https://www.deno.com/) on your local machine following the\n   Deno\n   [Installation instructions](https://docs.deno.com/runtime/manual/getting_started/installation).\n\n1. Install the Slack CLI on your local machine following the Slack\n   [Quickstart Guide](https://api.slack.com/automation/quickstart) (or just\n   `brew install slack-cli` on macOS).\n\n1. Authenticate with the Slack CLI by running `slack login` in your terminal:\n\n   1. The output will contain a command like\n      `/slackauthticket NzY5YmViN2QtY2ZjZS12ZmRjLTlmYTktNjI0NjI5NWI1ODFk` which\n      you should paste into the Slack chat box.\n   1. Approve the permissions that Slack will grant your CLI.\n   1. Paste the confirmation code back into the Slack CLI's **Enter challenge\n      code** prompt.\n\n1. Add the Tailscale Accessbot code to a git repository of your own:\n\n   1. Run the following commands to create a new directory for the accessbot\n      code and config:\n      ```shell\n      mkdir tailscale-accessbot\n      cd tailscale-accessbot\n      ```\n\n   1. Run the following commands to pull the Tailscale Accessbot code into your\n      new directory:\n      ```shell\n      git init -b main\n      git remote add upstream https://github.com/tailscale/accessbot.git\n      git pull upstream main\n      ```\n\n   1. (Optional, recommended) Create a private git repository on GitHub, GitLab,\n      or your preferred git host of choice, and push your code there:\n      ```shell\n      git remote add origin git@github.com:myorg/tailscale-accessbot\n      git push -u origin main\n      ```\n\n1. Deploy the app to Slack:\n\n   1. Run the following command to begin deploying your app to Slack, which will\n      prompt you to select the Team to install to:\n      ```shell\n      slack deploy\n      ```\n      - If you receive an error containing `app_approval_request_denied` then\n        your Slack team is configured with **Require App Approval** turned on\n        but **Allow members to request approval for apps** turned off. Speak to\n        one of your Slack team owners about changing these settings to allow you\n        to proceed. They can either turn on the **Allow members to request\n        approval for apps** setting or add your user to the **Select App\n        Managers to manage apps** \u003e **Workspace Owners and selected members or\n        groups** option. Retry `slack deploy` after this change.\n      - If you are asked whether you would like to request approval to install\n        the app, select **Yes**. Once Slack tells you that approval has been\n        granted, you may re-run `slack deploy`.\n\n   1. Create the trigger when prompted.\n\n   1. Slack will give you a Shortcut URL such as\n      `https://slack.com/shortcuts/Ft074AB2RW12/…` which won't work in your web\n      browser, but which can be used within the Slack app. Paste the Shortcut\n      URL from your terminal into a Slack chatroom and it will render a **Start\n      Workflow** button:\n\n      \u003cimg src=\"images/tailscale-access-shortcut.png\" alt=\"'Start Workflow' link rendered in Slack\" width=\"400\"/\u003e\n\n   1. Selecting the **Start Workflow** button will show the following error\n      because we are yet to connect it to Tailscale:\n\n      \u003cimg src=\"images/tailscale-access-unconfigured.png\" alt=\"Tailscale workflow before configuration\" width=\"400\"/\u003e\n\n   1. The Slack CLI will have created a `.slack` directory containing\n      `apps.json` and `config.json` files. These contain the app identifiers\n      that allow the Slack CLI to update the app later. You should now\n      `git commit` these files and if backing up to a remote repository,\n      `git push`.\n\n1. Connect the app to Tailscale:\n\n   1. [Generate an OAuth client](https://login.tailscale.com/admin/settings/oauth)\n      in Tailscale with the `devices:core:read` and `devices:posture_attributes`\n      scopes:\n\n      \u003cimg src=\"images/tailscale-oauth-client.png\" alt=\"Tailscale accessbot OAuth Client\" width=\"400\"/\u003e\n\n   1. Run the following command from your accessbot directory, using the OAuth\n      Client ID in place of `\u003cclient-id\u003e`, and selecting the appropriate team\n      when prompted:\n      ```shell\n      slack env add TAILSCALE_CLIENT_ID \u003cclient-id\u003e\n      ```\n\n   1. Run the following command from your accessbot directory, using the OAuth\n      Client secret in place of `\u003csecret\u003e`, and selecting the appropriate team\n      when prompted:\n      ```shell\n      slack env add TAILSCALE_CLIENT_SECRET \u003csecret\u003e\n      ```\n\n   1. Going back to Slack, selecting the **Start Workflow** button again should\n      now present the Accessbot screen:\n\n      \u003cimg src=\"images/tailscale-access-init.png\" alt=\"Tailscale Access starting request form in Slack\" width=\"400\"/\u003e\n\n      - An alternative way to trigger the workflow is to start typing its name\n        in the \"slash command\" pop-up menu that you should see after pressing\n        the \"/\" key.\n\n   1. Any errors that occur during the operation of the Workflow will be sent to\n      you in Slack, or can be inspected on demand using `slack activity`, or\n      watched in real-time using `slack activity --tail`.\n\n   1. Proceed to the next section to configure the available access profiles and\n      update your app.\n\n## Configure profiles\n\nConfiguration of Tailscale Access profiles is done by editing `config.ts`. All\navailable configuration options can be seen in the schema under `config.ts`.\n\nAn example of a minimal configuration can begin as follows:\n\n```typescript\nexport const config: Config = {\n  profiles: [\n    {\n      attribute: \"custom:prodAccess\",\n      description: \"Production\",\n      notifyChannel: \"C06TH49GKHC\",\n      canSelfApprove: true,\n      approverEmails: [\n        \"alice@example.com\",\n        \"bob@example.com\",\n        \"charlie@example.com\",\n      ],\n    },\n  ],\n} as Config;\n```\n\nSee the `type Profile` declaration at the bottom of config.ts for a description\nof the different fields available in this config.\n\nAfter changing config.ts, you must run another `slack deploy` to see the config\nupdate in the app. It is recommended that you `git commit` and `git push` at\nthis point too.\n\n[Slack documentation](https://api.slack.com/automation/cli/CI-CD-tutorial) has\ninstructions on automatic deployment of the workflow using Github Actions.\n\n## Use the attributes as part of network policy\n\nAfter the workflow has been configured and deployed, you can start using\nattributes corresponding to the configured access profiles as part of your\nnetwork policy.\n\nFor example, the `custom:prodAccess` attribute managed by the workflow can be\nreferenced by a posture and required for production access:\n\n```\n\"postures\": {\n    \"posture:prodAccess\": [\"custom:prodAccess == true\"],\n},\n\"acls\": [\n    {\n        \"action\": \"accept\",\n        \"src\": [\"group:dev\"],\n        \"dst\": [\"tag:production\"],\n        \"srcPosture\": [\"posture:prodAccess\"]\n    },\n],\n```\n\nSee the [Device Posture](https://tailscale.com/kb/1288/device-posture) topic and\nthe [tailnet policy file syntax](https://tailscale.com/kb/1337/acl-syntax/#acls)\ntopic for more information about postures and posture conditions.\n\n## Develop with the accessbot locally\n\nYou can run the workflow locally, before deploying it to Slack's infrastructure.\n\nFirst add the Tailscale Client ID and Secret from the previous step to a `.env`\nfile in the root of the project:\n\n```.env\nTAILSCALE_CLIENT_ID=abc1234CNTRL\nTAILSCALE_CLIENT_SECRET=tskey-client-abc1234CNTRL-qwerty1234...\n```\n\nThen you can run the application using the `slack` CLI. You'll know an app is\nthe development version if the name has the string `(local)` appended:\n\n```shell\n# Run app locally\nslack run\n\nConnected, awaiting events\n```\n\nTo stop running locally, press `\u003cCTRL\u003e + C` to end the process.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftailscale%2Faccessbot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftailscale%2Faccessbot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftailscale%2Faccessbot/lists"}