Grant Temporary Access with a Hubot Chatbot

If you are using a Hubot chatbot to automate common activities, you can integrate with the sdm Linux binary to handle common administrative tasks. This guide shows how to add a Hubot command to grant temporary access to datasources and servers. In this guide, we use the Heroku deployment method; modify as needed if you’re using a different deployment type.

Setup #

1. Set up a Hubot chatbot according to the directions on the Hubot site.

2. Once the setup is done, copy the Linux binary into the bin/ directory in your Hubot tree.

3. Create an admin token in the Admin UI with the following permissions:

   • datasource:grant
   • datasource:list
   • user:assign
   • user:list

4. Add two environment variables to your Hubot:

   heroku config:set SDM_HOME=/app
   heroku config:set SDM_ADMIN_TOKEN=<admin token here>
   

5. Add an SDM script to scripts/. Here is a barebones example that will grant access to datasources for one hour.

   module.exports = (robot) ->
   robot.hear /access to (.*)/i, (res) ->
   target = res.match[1]
   email = res.envelope.user.email_address
   res.reply "Granting #{email} access to '#{target}' for 1 hour"
   spawn('sdm', ['admin','users','grant-temporary','-d','1h',target,email])
   

6. Deploy the changes with git push heroku master

7. Test by telling the bot Grant me access to datasource. It should respond with Granting <email> access to 'datasource' for 1 hour

Enhancements #

There are a number of ways to improve your Hubot’s StrongDM integration. Here are a few examples:

1. Ensure the datasource/server requested actually exists by having the bot run sdm admin datasources list -j which will output a JSON-formatted list of datasources, and sdm admin servers list -j for SSH/RDP.
2. Add additional sanitization and error checking.
3. Ensure (through your own systems) that the requester is authorized to perform temporary grants of this nature.