The main README is here: Slack gateway for Amazon Q, your business expert (preview)
This Developer README describes how to build the project from the source code - for developer types. You can:
To deploy or to publish, you need to have the following packages installed on your computer:
- bash shell (Linux, MacOS, Windows-WSL)
- node and npm: https://docs.npmjs.com/downloading-and-installing-node-js-and-npm
- tsc (typescript):
npm install -g typescript - esbuild:
npm i -g esbuild - jq: https://jqlang.github.io/jq/download/
- aws (AWS CLI): https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
- cdk (AWS CDK): https://docs.aws.amazon.com/cdk/v2/guide/cli.html
Copy the GitHub repo to your computer. Either:
- use the git command: git clone https://github.com/aws-samples/amazon-q-slack-gateway.git
- OR, download and expand the ZIP file from the GitHub page: https://github.com/aws-samples/amazon-q-slack-gateway/archive/refs/heads/main.zip
-
You need to have an AWS account and an IAM Role/User with permissions to create and manage the necessary resources and components for this application. (If you do not have an AWS account, please see How do I create and activate a new Amazon Web Services account?)
-
You need to have an Okta Workforce Identity Cloud account. If you haven't signed up yet, see Signing up for Okta
-
You need to configure SAML and SCIM with Okta and IAM Identity Center. If you haven't configured, see Configuring SAML and SCIM with Okta and IAM Identity Center
-
You also need to have an existing, working Amazon Q Business application integrated with IdC. If you haven't set one up yet, see Creating an Amazon Q application
-
You need to have users subscribed to your Amazon Q Business application, and are able to access Amazon Q Web Experience. If you haven't set one up yet, see Subscribing users to an Amazon Q application
Create the client as a 'Web app'. You will want to enable the 'Refresh Token' grant type, 'Allow everyone in your organization to access', and 'Federation Broker Mode'. Use a placeholder URL, like https://example.com, for the redirect URI, as you will update this later (in step 3).
Verify that administrators are given ability to configure the Interaction Code grant type for apps and authorization servers. See Verify that the Interaction Code grant type is enabled. Verify that "Interaction Code" is enabled for your "Authorization Server". See Enable Interaction Code grant for your authorization server
Create trusted token issuer to trust tokens from OIDC issuer URL using these instructions listed here - https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html. Or you can run the below script.
For the script, you need to have the OIDC issuer URL and the AWS region in which you have your AWS IAM Identity Center instance deployed. To retrieve the OIDC issuer URL, go to Okta account console, click the left hamburger menu and open Security > API and copy the whole 'Issuer URI'. The IAM IdC region is typically the same region where your Amazon Q Business application has been created but that is not a requirement.
The script will output trusted token issuer ARN which you will use in the next step.
export AWS_DEFAULT_REGION=<>
OIDC_ISSUER_URL=<>
AWS_IDC_REGION=<>
bin/create-trusted-token-issuer.sh $OIDC_ISSUER_URL $AWS_IDC_REGION
Create customer managed IdC application by running below script.
For the script, you need to have the OIDC client ID, trusted token issuer ARN, and the region in which you have your Q business application. To retrieve the OIDC client ID, go to Okta account console, click the left hamburger menu and open Applications > Applications and click on the application you created in step 1.1. Copy the 'Client ID'. For TTI_ARN, you can use the output from the previous step.
The script will output the IdC application ARN which you will use in the next step.
export AWS_DEFAULT_REGION=<>
OIDC_CLIENT_ID=<>
TTI_ARN=<>
AWS_IDC_REGION=<>
bin/create-idc-application.sh $OIDC_CLIENT_ID $TTI_ARN $AWS_IDC_REGION
Before starting, you need to have an existing, working Amazon Q Business application. If you haven't set one up yet, see Creating an Amazon Q application
Navigate into the project root directory and, in a bash shell, run:
./init.sh- checks your system dependendencies for required packages (see Dependencies above), sets up your environment file, and bootstraps your cdk environment../deploy.sh- runs the cdk build and deploys or updates a stack in your AWS account, creates a slack app manifest file, and outputs a link to the AWS Secrets Manager secret that you will need below.
Go the app client settings created in Okta (in step 1.1), and update the client redirect URL with exported value in CloudFormation stack for OIDCCallbackEndpointExportedName.
Now you can create your new app in Slack!
NOTE: If you have deployed the Slack data source connector for Amazon Q you may already have an existing Slack app installed. Do not attempt to modify that data source connector app - create a new app instead.
- Create a Slack app: https://api.slack.com/apps from the generated manifest - copy / paste from the stack output:
SlackAppManifest. - Go to
App Home, scroll down to the sectionShow Tabsand enableMessage Tabthen check the boxAllow users to send Slash commands and messages from the messages tab- This is a required step to enable your user to send messages to your app
Let's now add your app into your workspace, this is required to generate the Bot User OAuth Token value that will be needed in the next step
- Go to OAuth & Permissions (in api.slack.com) and click
Install to Workspace, this will generate the OAuth token - In Slack, go to your workspace
- Click on your workspace name > Tools and settings > Manage apps
- Click on your newly created app
- In the right pane, click on "Open in App Directory"
- Click "Open in Slack"
4.3.1 Configure your Slack secrets in order to (1) verify the signature of each request, (2) post on behalf of your bot
IMPORTANT In this example we are not enabling Slack token rotation. Enable it for a production app by implementing rotation via AWS Secrets Manager. Please create an issue (or, better yet, a pull request!) in this repo if you want this feature added to a future version.
-
Login to your AWS console
-
In your AWS account go to Secret manager, using the URL shown in the stack output:
SlackSecretConsoleUrl. -
Choose
Retrieve secret value -
Choose
Edit -
Replace the value of
Signing Secret* andBot User OAuth Token, you will find those values in the Slack application configuration underBasic InformationandOAuth & Permissions. *(Pro tip: Be careful you don't accidentally copy 'Client Secret' (wrong) instead of 'Signing Secret' (right)!) -
Update OIDC Client Redirect URL.
- Login to your AWS console
- In your AWS account go to Secret manager, using the URL shown in the stack output:
OIDCClientSecretConsoleUrl. - Choose
Retrieve secret value - Choose
Edit - Replace the value of
OidcClientSecret, you will find those values in the IdP app client configuration.
Time to say Hi!
- Go to Slack
- Under Apps > Manage, add your new Amazon Q app
- Optionally add your app to team channels
- In the app DM channel, say Hello. In a team channel, ask it for help with an @mention.
- You'll be prompted to Sign In with your Okta credentials to authenticate with Amazon Q. Click the button to sign in.
- You'll be redirected to browser to sign in with Okta. Once you sign in, you can close the browser window and return to Slack.
- You're now authenticated and can start asking questions!
- Enjoy.
In our main README, you will see that we provided Easy Deploy Buttons to launch a stack using pre-built templates that we published already to an S3 bucket.
If you want to build and publish your own template, to your own S3 bucket, so that others can easily use a similar easy button approach to deploy a stack, using your templates, here's how.
Navigate into the project root directory and, in a bash shell, run:
./publish.sh <cfn_bucket_basename> <cfn_prefix> <us-east-1 | us-west-2>.
This:- checks your system dependendencies for required packages (see Dependencies above)
- bootstraps your cdk environment if needed
- creates a standalone CloudFormation template (that doesn't depend on CDK)
- publishes the template and required assets to an S3 bucket in your account called
cfn_bucket_basename-region(it creates the bucket if it doesn't already exist) - optionally add a final parameter
publicif you want to make the templates public. Note: your bucket and account must be configured not to Block Public Access using new ACLs.
That's it! There's just one step.
When completed, it displays the CloudFormation templates S3 URLs and 1-click URLs for launching the stack creation in CloudFormation console, e.g.:
OUTPUTS
Template URL: https://s3.us-east-1.amazonaws.com/yourbucketbasename-us-east-1/qslack-test/AmazonQSlackGateway.json
CF Launch URL: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://s3.us-east-1.amazonaws.com/yourbucketbasename-us-east-1/qslack-test/AmazonQSlackGateway.json&stackName=AMAZON-Q-SLACK-GATEWAY
Done
Follow the deployment directions in the main README, but use your own CF Launch URL instead of our pre-built templates (Launch Stack buttons).
We welcome your contributions to our project. Whether it's a bug report, new feature, correction, or additional documentation, we greatly value feedback and contributions from our community.
See CONTRIBUTING for more information.
See Security issue notifications for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.