DevOps and engineering teams are increasingly moving their operations, system management, and CI/CD workflows to chat applications to streamline activities in chat channels and improve team collaboration. AWS customers have used the AWS Chatbot to monitor and retrieve diagnostic information. After receiving the information in the Slack channel, AWS customers had to switch to the AWS Console or AWS Command Line Interface (CLI) to remediate the incidents and configure their AWS environments. Without a secure integrated ChatOps experience, managing AWS environments and resolving issues require context-switching to other tools, correlating data from various sources, and continuously sharing progress in the chatroom, which leads to communication overhead and long task-completion cycles.

At re:Invent 2021, AWS Chatbot announced the public preview of a new feature that lets you use AWS Chatbot to manage AWS resources and remediate issues in AWS environments by running AWS CLI commands from Slack channels. Previously, you could only monitor AWS resources and retrieve diagnostic information using AWS Chatbot. Now, customers can manage AWS resources directly from their Slack channels with this feature. This means customers can monitor, operate, and troubleshoot AWS environments from Slack channels without switching context between Slack and other AWS Management Tools. Customers can securely run AWS CLI commands to scale Amazon Elastic Compute Cloud (EC2) instances, run AWS Systems Manager runbooks, and change AWS Lambda concurrency limits. Additionally, you can configure channel permissions to match your security and compliance needs by choosing role types, modifying account-level settings, and using guardrail policies.

How it works

In this post, I will show you AWS Chatbot configuration steps and share sample DevOps use cases to configure your AWS resources using AWS CLI commands from Slack channels.

As part of this post, you will perform the following tasks:

  1. Configure AWS Chatbot to run AWS CLI commands in a Slack channel
  2. Select a user role from the Slack channel
  3. View Amazon CloudWatch Alarms
  4. Update AWS Kinesis shards count
  5. Increase AWS Lambda concurrency limits
  6. Run an AWS Systems Manager runbook to restart an Amazon EC2 instance

Task 1. Configure AWS Chatbot to run AWS commands in a Slack channel

  1. To configure a Slack channel in an existing Slack workspace configuration, select the desired Slack workspace from the left navigation bar in the AWS Chatbot console’s home page. Alternatively, to configure a new Slack workspace in AWS Chatbot, choose Slackin the Chat client dropdown, and choose Configure client. The setup wizard redirects you to the Slack OAuth 2.0 Select the Slack workspace to configure in the top-right corner, and choose Allow. Your Slack workspace installs the AWS Slack App, and the AWS account that you logged in with is now authorized to communicate with your Slack workspace.

    AWS Chatbot is requesting permission to access the AWS Chatbot Demo Slack workspace.Figure 1: AWS Chatbot requests access to Slack workspace

  2. From here, Slack redirects you to the Configure Slack Channel Choose “Configure new channel” to create a new Slack channel configuration in the chosen Slack workspace. Select the channel in which you want to run commands. You can either select a public channel from the dropdown list or paste the URL or ID of a private channel. For private Slack channels, find the channel URL by opening the context menu (right-click) on the channel name in the left sidebar in Slack, and choosing the Copy link.
  3. After choosing the Slack channel, configure the channel member permissions. AWS Chatbot provides two ways to configure channel member permissions. With a Channel IAM role permission setting, all of the channel members in the channel share the same action permissions. Alternatively, User roles permission setting requires all of the channel members to choose an IAM role to perform actions. Choose Channel IAM role or User roles permissions settings based on your security and governance needs and intended channel purpose. Learn more about AWS Chatbot permissions in AWS Chatbot documentation.Choose the User roles permissions option.AWS Chatbot configuration Permissions section displays options to choose role settings type. This will define the type of IAM role that AWS Chatbot will assume to perform actions. “User roles” role setting option is selected. Under Channel guardrails, a dropdown to select the channel guardrail policies is displayed.

    Figure 2: AWS Chatbot configuration permissions

  4. After configuring the role permission settings, choose a Channel guardrails policy. A channel guardrail policy limits the actions that your channel members can take. The actions that channel members are allowed to do is based on the intersection of the guardrails and the IAM user or Channel role permissions. The guardrail policy is applied to both the Channel IAM role and User Roles role settings at runtime.
  5. Finally, if you want to receive notifications from Amazon EventBridge, Amazon CloudWatch alarms, and AWS Budgets in your channels, select an Amazon Simple Notification Service (SNS) topic under SNS topics. As events occur and are published to the SNS topic, AWS Chatbot sends the notifications to the appropriate Slack channels. Choose Save to complete the setup.
  6. In your Slack, add the AWS Chatbot app to your workspace by choosing Add apps. Open the Slack channel that you configured in Step 1, and type /invite @aws to invite AWS Chatbot to the channel. Test the connectivity by typing @aws help.

Task 2. Select a user role from the Slack channel

Channel members must select an IAM role to run commands for the channel configuration with user roles-based AWS Chatbot configuration permissions configured in Task 1. To choose or switch a user role at any time, type @aws switch-roles in the Slack channel. The AWS Chatbot prompts you to select an IAM role. Select the configured AWS account link and navigate to the console to choose an IAM role.

The Slack interaction for switching a role for a user is displayed. AWS Chatbot is requesting the user to select a link to select an IAM role for the configured AWS account.

Figure 3: Slack interaction to switch a user role.

The AWS Chatbot console page is requesting the user to select an IAM user role. The Slack identity of the Slack user who is initiating the user role selection is also displayed.

Figure 4: AWS Chatbot user role selection.

On the Edit user role page, select a role from the Existing roles dropdown, and choose Save. From here, Slack redirects you to the Slack OAuth 2.0 page. In the top-right corner, choose the Slack workspace from which the Slack user is switching roles, and then choose Agree. From here, Slack redirects you back to the User role selection confirmation page. Once an IAM role is associated with the Slack user, AWS Chatbot assumes the Slack user’s selected IAM role to run AWS CLI commands.

Task 3. View Amazon CloudWatch Alarms

You can use AWS Chatbot to retrieve diagnostic information. Moreover, you can run AWS CLI commands to retrieve details of all of the CloudWatch alarms in your account.

Type @aws describe cw alarms in us-west-1 to see all of the alarms in the US West Northern California region. AWS Chatbot will understand your input, map it to matching AWS CLI commands, and ask for a confirmation.

AWS Chatbot is recommending AWS CLI commands based on the user input. A “Run command” button is displayed next to each AWS CLI command recommendation. The top matching recommendation says, “cloudwatch describe-alarms --region us-west-1: Retrieves the specified alarms.”Figure 5: AWS CLI recommendations for user input in AWS Chatbot

After you choose the Run Command button next to the CLI command recommendation cloudwatch describe-alarms –region us-west-1, AWS Chatbot will run the command and return the command results with CloudWatch alarms details, along with images of the metric trend. AWS Chatbot will also provide an option to refine the AWS CLI command results by prompting you to rerun the AWS CLI command with optional parameters.

AWS Chatbot runs the AWS CLI command and displays the details of two Amazon CloudWatch alarms. The alarm details also show the metric trend graphs.

Figure 6: Amazon CloudWatch alarm details retrieved using AWS CLI command in AWS Chatbot

Task 4. Update AWS Kinesis shards count

To update the number of shards for an Amazon Kinesis stream, type the following:

@aws kinesis update-shard-count --stream-name yourstreamname --scaling-type UNIFORM_SCALING --target-shard-count 6

AWS Chatbot will run the AWS CLI command and show the output of the AWS CLI command.

AWS Chatbot runs the AWS CLI command to update the AWS Kinesis shards count and displays the command output.

Figure 7: Update AWS Kinesis shard count using AWS CLI command in AWS Chatbot

Task 5. Increase AWS Lambda concurrency limits

You can use AWS Chatbot to change the AWS Lambda function’s maximum simultaneous execution capacity limit.

Example 1: If you know the exact syntax of the AWS CLI function name, then you can type an AWS CLI command such as the following:

@aws lambda put-function-concurrency function-name BananaOrderProcessor --reserved-concurrent-executions 10

AWS Chatbot will run the AWS CLI command and show the output of the AWS CLI command.

Example 2: If you don’t remember the exact syntax or names of the command parameters, then AWS Chatbot will help you complete the AWS CLI command. Type the following:

@aws lambda set concurrency functionname BananaOrderProcessor

Then, AWS Chatbot will show the matching AWS CLI commands. Choose the Run Command button next to the lambda put-function concurrency –function-name BananaOrderProcessor option.

AWS Chatbot is recommending AWS CLI commands based on the user input. A “Run command” button is displayed next to each AWS CLI command recommendation. The top matching recommendation says, “lambda put-function-concurrency –function-name BananaOrderProcessor : Sets the maximum number of simultaneous executions for a function and reserves capacity for that concurrency level.”

Figure 8: AWS CLI recommendations for user input in AWS Chatbot

Then, AWS Chatbot will guide you with all of the required parameters. When prompted for the reserved-concurrent-executions parameter, type @aws 10 as the input value. The following example shows the sample interaction and the command output on the execution of the AWS CLI command.

AWS Chatbot is prompting for a value for the reserved-concurrent-execution parameter, which is a required parameter to run the command lambda put-function-concurrency. The user provides a value by typing @aws 10. AWS Chatbot runs the command and displays the output.

Figure 9: AWS Chatbot guides AWS CLI command completion 

Task 6. Run an AWS Systems Manager runbook to restart an Amazon EC2 instance

You can also run AWS Systems Manager runbooks to configure your AWS workloads.

Example 1: To run a Systems Manager automation runbook to restart an Amazon EC2 instance, type the following:

@aws ssm start-automation-execution --document-name AWS-RestartEC2Instance --parameters {"InstanceId": ["i-05fc4a9c3b78fb0a1"]} --region us-west-1

This Slack interaction shows an example of running an AWS Systems Manager automation runbook with an AWS CLI command.

Figure 10: Run AWS Systems Manager runbooks in AWS Chatbot

Example 2: Alternatively, you can let AWS Chatbot guide you through an automation runbook execution. Type @aws ssm start automation execution to start a guided walkthrough of running an automation runbook. Choose the Run Command button next to the ssm start-automation-execution command recommendation. When prompted for the document-name parameter, select automation runbook AWS-RestartEC2Instance from the document-name dropdown.

AWS Chatbot is recommending AWS CLI commands based on the user input. A “Run command” button is displayed next to each AWS CLI command recommendation. The top matching recommendation says, “ssm start-automation-execution: Initiates execution of an automation runbook.”

Figure 11: AWS CLI recommendations for user input in AWS Chatbot

This Slack interaction shows an example of requesting and prompting automation document name. The document-name drop-down shows a list of runbooks.

Figure 12: Automation document selection in AWS Chatbot

Then, AWS Chatbot will prompt you for document parameters. Type @aws parameters {"InstanceId": ["i-04d231f25c18592ea"]}, and then choose the Run command button when prompted.

This Slack interaction shows an example of a guided walkthrough of capturing automation document parameters. The complete AWS CLI command with user-provided parameters is displayed.

Figure 13: Guided walkthrough of capturing automation document parameters in AWS Chatbot

AWS Chatbot will execute the automation runbook and provide notification updates in the channel as the automation runbook progresses.

The Slack notifications show the output of automation runbook steps as the runbook execution progresses.

Figure 14: Slack notifications show output of automation document execution progress in AWS Chatbot

Conclusion

With the feature to safely manage AWS resources directly from the Slack channels, DevOps teams can operate AWS resources and remediate production issues from Slack channels without switching context between Slack and other AWS Management Tools. This lets DevOps teams use chat channels as the primary means of collaboration when monitoring events, analyzing incidents, and operating AWS workloads.

In this post, I walked you through the steps to set up an AWS Chatbot configuration and securely run AWS CLI commands to configure AWS resources from Slack.

Got any ideas to improve AWS Chatbot? You can send your comments to the AWS Chatbot team by typing @aws feedback <your comments> in your Slack channel.

About the authors

Abhijit Barde

Abhijit Barde

Abhijit Barde is the Principal Product Manager for AWS Chatbot, where he focuses on making it easy for all AWS users to discover, monitor, and interact with AWS resources using conversational interfaces.

Hayden Lawler

Hayden Lawler

Hayden Lawler is a Software Development Engineer with AWS Chatbot. He has keen interests in providing simple and safe user experiences for AWS customers and expanding the capabilities of ChatOps via AWS Chatbot.

Jack Meyer

Jack Meyer

Jack Meyer is a Software Development Engineer on the AWS Chatbot team. He particularly enjoys the startup culture on the team: building new functionalities and enhancing the customer experience on the frontier of ChatOps.