From 325e8dddcb932e5c4840c9486bd6740401bc5e18 Mon Sep 17 00:00:00 2001 From: Paul Poulsen Date: Thu, 24 Oct 2024 14:18:13 -0500 Subject: [PATCH 1/2] SK24 - Add role to Slack Install in order to access secrets --- serverless.yml | 1 + src/index.ts | 1 + 2 files changed, 2 insertions(+) diff --git a/serverless.yml b/serverless.yml index 8f16a87..ec0bac1 100644 --- a/serverless.yml +++ b/serverless.yml @@ -30,6 +30,7 @@ functions: - http: path: 'slack/install' method: get + role: slackbotRole create-user: handler: src/index.createUser events: diff --git a/src/index.ts b/src/index.ts index 5e6f739..5d42c2b 100644 --- a/src/index.ts +++ b/src/index.ts @@ -155,6 +155,7 @@ export const authorizeMicrosoftGraph: Handler = async (event: any) => { }; export const slackInstall: Handler = async () => { + console.log('Slack install requested.') const clientId = await getSlackClientIdWithKey('clientId'); return { From 6b29ff023751a89d91dc0cc43b0cc6d4221b1f5e Mon Sep 17 00:00:00 2001 From: Paul Poulsen Date: Thu, 24 Oct 2024 14:25:41 -0500 Subject: [PATCH 2/2] SK24 - Add GetSecretsValue permission to updateRole policy as well --- serverless.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/serverless.yml b/serverless.yml index ec0bac1..b6a1de8 100644 --- a/serverless.yml +++ b/serverless.yml @@ -125,6 +125,16 @@ resources: - Ref: 'AWS::Region' - Ref: 'AWS::AccountId' - 'table/cal2slack-usersettings' + - Effect: Allow + Action: + - secretsmanager:GetSecretValue + Resource: + - 'Fn::Join': + - ':' + - - 'arn:aws:secretsmanager' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'secret:${self:custom.lambda.slackbot.secretsPrefix}/*' - Effect: 'Allow' Action: - lambda:InvokeFunction