AWS Cloud Operations Blog
Manage AWS resources in your Slack channels with AWS Chatbot
**This post was written while the feature to manage AWS resources in Slack channels was in public preview. This feature is now generally available. The information contained within this post is still relevant and helpful.**
DevOps and engineering teams are increasingly moving their operations, system management, and CI/CD workflows to chat applications to streamline activities in chat channels and improve team collaboration. AWS customers have used the AWS Chatbot to monitor and retrieve diagnostic information. After receiving the information in the Slack channel, AWS customers had to switch to the AWS Console or AWS Command Line Interface (CLI) to remediate the incidents and configure their AWS environments. Without a secure integrated ChatOps experience, managing AWS environments and resolving issues require context-switching to other tools, correlating data from various sources, and continuously sharing progress in the chatroom, which leads to communication overhead and long task-completion cycles.
At re:Invent 2021, AWS Chatbot announced the public preview of a new feature that lets you use AWS Chatbot to manage AWS resources and remediate issues in AWS environments by running AWS CLI commands from Slack channels. Previously, you could only monitor AWS resources and retrieve diagnostic information using AWS Chatbot. Now, customers can manage AWS resources directly from their Slack channels with this feature. This means customers can monitor, operate, and troubleshoot AWS environments from Slack channels without switching context between Slack and other AWS Management Tools. Customers can securely run AWS CLI commands to scale Amazon Elastic Compute Cloud (EC2) instances, run AWS Systems Manager runbooks, and change AWS Lambda concurrency limits. Additionally, you can configure channel permissions to match your security and compliance needs by choosing role types, modifying account-level settings, and using guardrail policies.
How it works
In this post, I will show you AWS Chatbot configuration steps and share sample DevOps use cases to configure your AWS resources using AWS CLI commands from Slack channels.
As part of this post, you will perform the following tasks:
- Configure AWS Chatbot to run AWS CLI commands in a Slack channel
- Select a user role from the Slack channel
- View Amazon CloudWatch Alarms
- Update AWS Kinesis shards count
- Increase AWS Lambda concurrency limits
- Run an AWS Systems Manager runbook to restart an Amazon EC2 instance
Task 1. Configure AWS Chatbot to run AWS commands in a Slack channel
- To configure a Slack channel in an existing Slack workspace configuration, select the desired Slack workspace from the left navigation bar in the AWS Chatbot console’s home page. Alternatively, to configure a new Slack workspace in AWS Chatbot, choose Slackin the Chat client dropdown, and choose Configure client. The setup wizard redirects you to the Slack OAuth 2.0 Select the Slack workspace to configure in the top-right corner, and choose Allow. Your Slack workspace installs the AWS Slack App, and the AWS account that you logged in with is now authorized to communicate with your Slack workspace.
Figure 1: AWS Chatbot requests access to Slack workspace
- From here, Slack redirects you to the Configure Slack Channel Choose “Configure new channel” to create a new Slack channel configuration in the chosen Slack workspace. Select the channel in which you want to run commands. You can either select a public channel from the dropdown list or paste the URL or ID of a private channel. For private Slack channels, find the channel URL by opening the context menu (right-click) on the channel name in the left sidebar in Slack, and choosing the Copy link.
- After choosing the Slack channel, configure the channel member permissions. AWS Chatbot provides two ways to configure channel member permissions. With a Channel IAM role permission setting, all of the channel members in the channel share the same action permissions. Alternatively, User roles permission setting requires all of the channel members to choose an IAM role to perform actions. Choose Channel IAM role or User roles permissions settings based on your security and governance needs and intended channel purpose. Learn more about AWS Chatbot permissions in AWS Chatbot documentation.Choose the User roles permissions option.
Figure 2: AWS Chatbot configuration permissions
- After configuring the role permission settings, choose a Channel guardrails policy. A channel guardrail policy limits the actions that your channel members can take. The actions that channel members are allowed to do is based on the intersection of the guardrails and the IAM user or Channel role permissions. The guardrail policy is applied to both the Channel IAM role and User Roles role settings at runtime.
- Finally, if you want to receive notifications from Amazon EventBridge, Amazon CloudWatch alarms, and AWS Budgets in your channels, select an Amazon Simple Notification Service (SNS) topic under SNS topics. As events occur and are published to the SNS topic, AWS Chatbot sends the notifications to the appropriate Slack channels. Choose Save to complete the setup.
- In your Slack, add the AWS Chatbot app to your workspace by choosing Add apps. Open the Slack channel that you configured in Step 1, and type
/invite @aws
to invite AWS Chatbot to the channel. Test the connectivity by typing@aws help
.
Task 2. Select a user role from the Slack channel
Channel members must select an IAM role to run commands for the channel configuration with user roles-based AWS Chatbot configuration permissions configured in Task 1. To choose or switch a user role at any time, type @aws switch-roles
in the Slack channel. The AWS Chatbot prompts you to select an IAM role. Select the configured AWS account link and navigate to the console to choose an IAM role.
Figure 3: Slack interaction to switch a user role.
Figure 4: AWS Chatbot user role selection.
On the Edit user role page, select a role from the Existing roles dropdown, and choose Save. From here, Slack redirects you to the Slack OAuth 2.0 page. In the top-right corner, choose the Slack workspace from which the Slack user is switching roles, and then choose Agree. From here, Slack redirects you back to the User role selection confirmation page. Once an IAM role is associated with the Slack user, AWS Chatbot assumes the Slack user’s selected IAM role to run AWS CLI commands.
Task 3. View Amazon CloudWatch Alarms
You can use AWS Chatbot to retrieve diagnostic information. Moreover, you can run AWS CLI commands to retrieve details of all of the CloudWatch alarms in your account.
Type @aws describe cw alarms in us-west-1
to see all of the alarms in the US West Northern California region. AWS Chatbot will understand your input, map it to matching AWS CLI commands, and ask for a confirmation.
Figure 5: AWS CLI recommendations for user input in AWS Chatbot
After you choose the Run Command button next to the CLI command recommendation cloudwatch describe-alarms –region us-west-1, AWS Chatbot will run the command and return the command results with CloudWatch alarms details, along with images of the metric trend. AWS Chatbot will also provide an option to refine the AWS CLI command results by prompting you to rerun the AWS CLI command with optional parameters.
Figure 6: Amazon CloudWatch alarm details retrieved using AWS CLI command in AWS Chatbot
Task 4. Update AWS Kinesis shards count
To update the number of shards for an Amazon Kinesis stream, type the following:
AWS Chatbot will run the AWS CLI command and show the output of the AWS CLI command.
Figure 7: Update AWS Kinesis shard count using AWS CLI command in AWS Chatbot
Task 5. Increase AWS Lambda concurrency limits
You can use AWS Chatbot to change the AWS Lambda function’s maximum simultaneous execution capacity limit.
Example 1: If you know the exact syntax of the AWS CLI function name, then you can type an AWS CLI command such as the following:
@aws lambda put-function-concurrency function-name BananaOrderProcessor --reserved-concurrent-executions 10
AWS Chatbot will run the AWS CLI command and show the output of the AWS CLI command.
Example 2: If you don’t remember the exact syntax or names of the command parameters, then AWS Chatbot will help you complete the AWS CLI command. Type the following:
@aws lambda set concurrency functionname BananaOrderProcessor
Then, AWS Chatbot will show the matching AWS CLI commands. Choose the Run Command button next to the lambda put-function concurrency –function-name BananaOrderProcessor
option.
Figure 8: AWS CLI recommendations for user input in AWS Chatbot
Then, AWS Chatbot will guide you with all of the required parameters. When prompted for the reserved-concurrent-executions parameter, type @aws 10 as the input value. The following example shows the sample interaction and the command output on the execution of the AWS CLI command.
Figure 9: AWS Chatbot guides AWS CLI command completion
Task 6. Run an AWS Systems Manager runbook to restart an Amazon EC2 instance
You can also run AWS Systems Manager runbooks to configure your AWS workloads.
Example 1: To run a Systems Manager automation runbook to restart an Amazon EC2 instance, type the following:
Figure 10: Run AWS Systems Manager runbooks in AWS Chatbot
Example 2: Alternatively, you can let AWS Chatbot guide you through an automation runbook execution. Type @aws ssm start automation execution
to start a guided walkthrough of running an automation runbook. Choose the Run Command button next to the ssm start-automation-execution
command recommendation. When prompted for the document-name parameter, select automation runbook AWS-RestartEC2Instance from the document-name dropdown.
Figure 11: AWS CLI recommendations for user input in AWS Chatbot
Figure 12: Automation document selection in AWS Chatbot
Then, AWS Chatbot will prompt you for document parameters. Type @aws parameters {"InstanceId": ["i-04d231f25c18592ea"]}
, and then choose the Run command button when prompted.
Figure 13: Guided walkthrough of capturing automation document parameters in AWS Chatbot
AWS Chatbot will execute the automation runbook and provide notification updates in the channel as the automation runbook progresses.
Figure 14: Slack notifications show output of automation document execution progress in AWS Chatbot
Conclusion
With the feature to safely manage AWS resources directly from the Slack channels, DevOps teams can operate AWS resources and remediate production issues from Slack channels without switching context between Slack and other AWS Management Tools. This lets DevOps teams use chat channels as the primary means of collaboration when monitoring events, analyzing incidents, and operating AWS workloads.
In this post, I walked you through the steps to set up an AWS Chatbot configuration and securely run AWS CLI commands to configure AWS resources from Slack.
Got any ideas to improve AWS Chatbot? You can send your comments to the AWS Chatbot team by typing @aws feedback <your comments>
in your Slack channel.