Approve Just-in-Time database access via Slack
In the previous tutorial, we demonstrated how to set up JIT access using the Bytebase GUI. In this tutorial, we will cover how to automate JIT access via Slack, utilizing Bytebase webhooks and API.
When developers need urgent production database access during incidents but lack permissions, they can request Just-in-Time (JIT) access. By triggering the Bytebase webhook, the DBA will receive a notification in Slack immediately and can approve there.
This is Part 2 of our tutorial series on implementing Just-in-Time (JIT) access:
- Part 1: Grant JIT database access via Bytebase GUI
- Part 2: Approve JIT database access via Slack (this one)
- Part 3: Request JIT database access via Slack
Overview
In this tutorial, you'll learn how to approve JIT access via Slack with the help of Bytebase webhooks and APIs.
This tutorial skips the Bytebase setup part, if you haven't set up the Bytebase and registered admin and developer users, please follow instructions in the previous tutorial.
Prerequisites
Before you begin, make sure you have:
- Docker installed
- Slack workspace
- VS Code for port forwarding
Overall Workflow
- Create a Slack app. The Slack app listens on the webhook notification when someone submits a database access request.
- Upon receiving the webhook event, the Slack app will present a message card in the configured channel with request details and approve/deny buttons.
- Upon clicking the approve/deny button, the Slack app will call the corresponding Bytebase API to approve/deny the request.
Step 1 - Finished the previous tutorial
Make sure you finished the previous tutorial and have the Bytebase instance running. Particularly, pay attention to Step 4, which is to request JIT access via Bytebase GUI.
The Request role
feature is supported by Enterprise Plan which will be needed for this tutorial, other plans only allow the Assign role
feature which is not enough. You may request a trial from here.
Step 2 - Register a service account in Bytebase
-
Log in as the admin user, and go to Security & Policy > Users & Groups. Click + Add User, fill in with
api-example
, choose theDBA
role that is sufficient for this tutorial and click Confirm. -
Find the newly created service account and click on Copy Service Key. We will use this token to authenticate the API calls.
- Go to
Sample Project
, click Manage > Members, and assign the service account asProject Owner
which can fit the custom approval set in the previous tutorial.
Step 3 - Download slack-example
code and run it
- Download the slack-example code.
- Go to the
approve-issue
folder and copy theenv-template.local
file to.env.local
. - Paste the registered service account information into the
.env.local
file. - By using VS Code's Port forwarding, you can forward the local server's ports:
3000
for theslack-example
app8080
for the Bytebase instance
- Copy the 8080 port forwarded address to the
.env.local
file asBB_HOST
. - Also, go to Bytebase, click Settings > General to set the address as External URL.
Step 4 - Create Bytebase Webhook
- Go to Bytebase and select the
Sample Project
. - Click Integration > Webhooks and click Add Webhook.
- Set the Name as
Slack
webhook, URL asYOUR_3000_FORWARDED_URL/api/bytebase/webhook
. - Select
Issue approval needed
as Triggering activities. - Click Test webhook and if it's successful, then click Create.
Step 5 - Create and invite a Slack bot
- Go to Slack apps and click Create New App.
- Choose From scratch, enter the App name, and select your Workspace.
- Go to OAuth & Permissions and add the following permissions under Scopes:
chat:write
(send message)channels:read
(read channel id for public channel)groups:read
(read channel id for private channel)
- Scroll up to OAuth Tokens, click Install to YOUR_WORKSPACE, and authorize the app.
- Copy the Bot User OAuth Token and paste it into the
.env.local
file as SLACK_BOT_TOKEN. - Choose a channel and invite the bot to the channel by typing
/invite @YOUR_BOT_NAME
. - Go to Interactivity & Shortcuts in app settings, turn on Interactivity and add the Request URL:
YOUR_3000_FORWARDED_URL/api/slack/interact
. Click Save Changes.
Step 6 - Verify the workflow
Now, everything is ready, let's verify the workflow:
- Go to Bytebase, log in as the developer and go into the
Sample Project
. - By default, the developer has no permission to access the database. Click Manage > Members and you'll see the devloper only has Project Developer role. If you go to SQL Editor, you'll see the
hr_prod
database is not accessible. - Click Database > databases, select the
hr_prod
database, and click Request Querier role. - Choose the database or table you want to access, and click OK.
- A request issue is created, the configured custom approval flow will be matched.
- Go to Slack, the bot already sent a message to the channel, which is triggered by the webhook.
- Click Approve and the Slack Bot will trigger the interact API, which calls Bytebase API to approve the issue.
- Go back to Bytebase, the issue is approved. The developer can access the database now.
Code structure
If digging into the code is your interest, here is a brief explanation of the code structure:
src/app/api/bytebase/webhook/route.ts
: handle the webhook from Bytebase.src/app/api/slack/interact/route.ts
: handle the interaction (Approve or Deny) from Slack to Bytebase.src/lib/slack.ts
: send the message to Slack via using the its web API.
Conclusion
In this tutorial, you learned how to set up JIT access via Slack with the help of Bytebase webhooks and APIs. In the next part, we will cover how to request JIT access via Slack.