This quick start provides a walkthrough of the steps needed to automate new account creation in Rubrik Polaris with Slack and AWS Lambda.
Rubrik’s API first architecture allows for integration with a wide array of tools. Slack has gained popularity among companies embracing DevOps principles such as ChatOps for similar reasons. Using AWS Lambda as the glue, we can provide a simple way to provision new accounts in Rubrik Polaris via Slack. Amazon describes Lambda as a way to “run code without thinking about servers”, and we will use it to run Python code which interacts with Rubrik Polaris.
- Access to all required AWS services with proper IAM permissions
- AWS CLI Tool installed and configured
- Admin access to Slack
- Admin access to Rubrik Polaris
- A user requests a new Rubrik Polaris account via Slack Slash Command. Slack sends a JSON payload with account information to an Amazon API Gateway.
- The JSON payload is passed to a Lambda function by the API Gateway.
- Lamba immediately returns an HTTP 200 (Success) code to Slack to prevent a timeout.
- A second AWS Lambda function requests the new Polaris account via REST API.
- Polaris responds once the new account is created.
- AWS Lambda notifies the requesting user that the account is created.
We will begin by configuring a new application in Slack, along with a corresponding ‘Slash Command’ to trigger account creation. Slack will pass the account information and other metadata to AWS Lambda via an Amazon API Gateway. Slack requires that API responses are returned within three seconds, but the Polaris account creation workflow may take slightly longer. To avoid timeout errors, we will use two different Lambda functions along with Amazon SNS as a data transport. Once AWS Lambda creates a new account in Rubrik Polaris, a notification will be sent back to Slack. Code for the Lambda functions is available in this GitHub repo.
Creating new applications in Slack and configuring slash commands is a complex topic, and it is helpful to review the provided documentation:
Once you are ready to begin configuration, browse to Your Apps in the Slack API configuration page and click Create New App.
Specify an App Name, choose your Slack Workspace, and click Create App. You will be taken to the ‘Basic Information’ screen for your new application. Scroll down to find the Verification Token, and copy the value to a text editor or other scratch space. You will submit this value to AWS KMS to be encrypted in a later step. The encrypted token will be used during the AWS Lambda function setup.
Scroll down to the Display Information section and provide a description, background color, and an icon if desired. There is an logo image available here. Once complete, click Save Changes.
IAM is used to control access to resources within AWS. Two new IAM policies will be created, and along with an AWS managed policy, they will be used to create a new IAM role. The first new IAM role will allow the Lambda functions to decrypt KMS encrypted data. Within the AWS console, browse to IAM, click Policies, then Create policy. On the ‘Create policy’ page, click the JSON tab and paste in the JSON below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "*"
}
]
}
Click Review policy, and provide a name for the policy. In this
example, we’ll use AWSLambdaKMSexecutionRole. Click Create Policy,
then repeat this process to create an additional policy, using the JSON
below. This new role will allow Lambda to publish data to SNS, which is
configured in the next section. For our example we will name this second
policy AWSLambdaSNSPublishPolicyExecutionRole.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": "arn:aws:sns:*:*:*"
}
]
}
After creating new IAM policies, click Roles, then Create role. Click Lambda, then Next: Permissions.
On the create role screen, you will search existing policies to create a
new role. One of these roles, AWSLambdaBasicExecutionRole is an AWS
managed policy, and the other two were created in the previous step. If
you used different names for the policies you created, search for those
instead.
Search for each of these and check the box beside the matching policy in the search results.
AWSLambdaBasicExecutionRoleAWSLambdaKMSExecutionRoleAWSLambdaSNSPublishPolicyExecutionRole
Once you’ve found and checked the box for each policy, click Next: Tags. No tags are needed, so click Next: Review, and provide a name for this new Role. For this example we’ll name the role PolarisCreateUser. Double check the policies listed to verify they’re correct, and click Create role.
IAM supports granular permissions, and many organizations have strict requirements for their security policies. The permissions and roles here are provided as an example, but other more strict policies can be used if needed. Be sure to have your security team approve new IAM policies in accordance with company policy.
Before configuring Lambda, you will need to encrypt the Verification Token from your Slack App, and your Rubrik Polaris password.
These steps assume you have no existing customer managed keys in KMS, but you can use an existing key as well. Browse to Key Management Service in your AWS console, click Customer managed keys, then Create key.
Add an alias and description, and click Next. For this example, we’ll use the alias PolarisCreateUser. Click Next on the ‘Add tags’ screen. On the Define key administrative permissions screen, select any users that will serve as administrators or maintainers for this workflow and click Next. On the Define key usage permissions screen, search for the role you created in IAM in the previous section (e.g. PolarisCreateUser). Finally, review the resulting key policy and click Finish. Your new customer managed key will be listed, along with a key ID. This ID will be used to encrypt your Slack verification token and your Polaris password.
We will use the AWS CLI tool to encrypt two values with KMS. If you have not already installed and configured the AWS CLI tool, complete those steps before continuing. Use the following command to encrypt your Slack verification token, then your Polaris password. Replace the text surrounded by brackets with the information for your environment. The command will return a long string representing your encrypted data. Save the encrypted data in a text editor or other scratch space.
aws kms encrypt --key-id \[KMS Key ID\] --plaintext "\[token/password\]"
--output text --query CiphertextBlob
The screenshot below demonstrates this process.
Amazon SNS provides a way to pass data between the two Lambda functions we will configure. An SNS topic will need to be created before configuring Lambda. Within the AWS console, browse to Simple Notification Service, then click Topics, and Create new topic. Provide a topic name and press Create Topic. The new topic will be displayed in the AWS console, along with an Amazon Resource Name (ARN). An ARN is similar to a Fully Qualified Domain Name. It specifies a unique resource in AWS. The ARN created for your SNS topic will be referenced while configuring Lambda, so save it in a text editor or other scratch space.
Two different Lambda functions will be created, based on code in this GitHub repo.
Within the AWS console, browse to Lambda, then click Functions, then click Create Function. On the Create function page, use values below, then click Create function.
- Name: polaris_new_user_slack_response
- Runtime: Python 2.7
- Role: Choose an existing role
- Existing role: PolarisCreateUser (or the name of your IAM role, if you chose a different name)
You will be taken to your new Lambda function. Within the code editor, erase the sample code and paste the contents of slack_response.py.
Scroll down to Environment variables and create the following variables.
| Variable Name | Value |
|---|---|
| email_domain | Domain name users will be associated with (e.g. yourcompany.com) |
| kms_encrypted_token | Your encrypted Slack verification token |
| polaris_password | Your encrypted Rubrik Polaris password |
| polaris_url | URL of your Polaris dashboard, excluding ‘https://’ |
| polaris_username | Your Polaris username |
| sns_arn | ARN of your SNS topic |
Click File → Save in the code editor, then click the Save button in the top right corner. In the Designer widget, and click API Gateway in the ‘Add triggers’ list. This will bring up the Configure triggers widget. In the ‘API’ dropdown, choose Create a new API, and under Security choose Open, then click Add. Click the Save button in the top right corner. Note the new API endpoint displayed in the API Gateway widget. This endpoint address will be used to configure your Slack slash command. Save the endpoint address in a text editor or other scratch space.
After completing setup for the Slack Response function, return to the Functions page, then click Create Function. On the Create function page, use values below, then click Create function.
- Name: polaris_worker_function
- Runtime: Python 2.7
- Role: Choose an existing role
- Existing role: PolarisCreateUser (or the name of your IAM role, if you chose a different name)
You will be taken to your new Lambda function. Within the code editor, erase the sample code and paste the contents of worker_function.py. Click File → Save in the code editor, then click the Save button in the top right corner. In the Designer widget, click SNS in the Add triggers list. This will bring up the Configure triggers widget. Choose the SNS topic that you created previously, click Add, then click Save.
Return to the configuration page for your Slack App and click Slash Commands, then Create New Command.
Provide values for the slash command, using the API endpoint address configured in the Lambda Slack Response Function as the Request URL, and click Save.
Click on Install App in the left hand menu, then click Install App to Workspace. When prompted, click Authorize to finalize installation of the application.
You can use your new slash command anywhere within your Slack workspace. Simply type
/polaris firstname.lastname@yourcompany.com
The app will notify you once the account is created, or if an error occurs. Below is an example of the response after creating a new account.
The first troubleshooting step is to review your configuration to make sure there are no errors. Pay special attention to Lamba environment variables and parameters configured in Slack to verify no mistakes were made. If you continue to encounter errors, try these steps:
- Check logs in Amazon CloudWatch. Any errors encountered by Lambda functions should show up in the logs.
- Subscribe to your SNS topic via email. This will provide visibility into the values passed between the two Lambda functions. Within the AWS console, browse to SNS and click Create a subscription. Paste in the ARN of the SNS topic, change the protocol to Email, and provide your email address as an endpoint. You will receive an email verification message, which you will have to accept before AWS will activate the subscription. The next time you run the Slack slash command, you will receive an email with the variables passed between the Slack Response Lambda function and the Worker Lambda function. Verify that the variables match their expected values.
- Check the audit log in Polaris. Account creation events and related errors will be displayed in the log.