Grant Temporary Access with a Hubot Chatbot

If you are using a Hubot chatbot to automate common activities, you can integrate with the sdm Linux binary to handle common administrative tasks. This guide shows how to add a Hubot command to grant temporary access to datasources and servers. In this guide, we use the Heroku deployment method; modify as needed if you're using a different deployment type.

Setup

Set up a Hubot chatbot according to the directions on the Hubot site.
Once the setup is done, copy the Linux binary into the bin/ directory in your Hubot tree.
Create an admin token in the Admin UI with the following permissions:
- datasource:grant
- datasource:list
- user:assign
- user:list

Add two environment variables to your Hubot:

$ heroku config:set SDM_HOME=/app
$ heroku config:set SDM_ADMIN_TOKEN=<admin token here>

Add an SDM script to scripts/. Here is a barebones example that will grant access to datasources for one hour.

module.exports = (robot) ->
robot.hear /access to (.*)/i, (res) ->
target = res.match[1]
email = res.envelope.user.email_address
res.reply "Granting #{email} access to '#{target}' for 1 hour"
spawn('sdm', ['admin','users','grant-temporary','-d','1h',target,email])

Deploy the changes with git push heroku master
Test by telling the bot Grant me access to datasource. It should respond with Granting <email> access to 'datasource' for 1 hour

Enhancements

There are a number of ways to improve your Hubot's strongDM integration. Here are a few examples:

Ensure the datasource/server requested actually exists by having the bot run sdm admin datasources list -j which will output a JSON-formatted list of datasources, and sdm admin servers list -j for SSH/RDP.
Add additional sanitization and error checking.
Ensure (through your own systems) that the requester is authorized to perform temporary grants of this nature.

Automation — Previous

Temporary Access Integrations

Next — Automation

Automate Temporary Access with PagerDuty Schedules