PrivMan Slack Approval Bot

Approve or deny Privilege Manager elevation requests directly from Slack

Slack API Python Slack Bolt AWS Fargate Privilege Manager Socket Mode

Architecture

Delinea Privilege Manager ^ | REST API (poll, approve, deny) v Slack Bot (Python / Slack Bolt) runs on AWS ECS Fargate |-- ApprovalPoller polls every 30s, posts messages proactively |-- Action Handlers handles button clicks (approve/deny) ^ | Socket Mode (WebSocket -- no public URL needed) v Slack Workspace Block Kit messages with inline approve/deny actions

Features

  • Inline approve/deny -- everything happens right in the Slack message via Block Kit interactive buttons
  • Duration picker -- choose One Time, 15 min, 30 min, 1 hour, or other durations for each approval
  • Message replacement -- after an action, the original message updates in-place to show "Approved by X" or "Denied by X"
  • Proactive messaging -- the bot automatically posts new approval cards when requests arrive, no manual trigger needed
  • Socket Mode -- connects via WebSocket, so no public URL or SSL certificate is required; works behind firewalls
  • Persistent state via AWS SSM -- registered channels and auto-approve schedules survive restarts using SSM Parameter Store
  • Scheduled auto-approve -- automatically approve requests outside configurable business hours so end users are never blocked overnight or on weekends

Tech Stack

Python
Slack Bolt
Socket Mode
AWS ECS Fargate
AWS SSM
CloudWatch
Docker
Privilege Manager API

Project Structure

privman-api-slack/ slack_bot/ # Slack Bolt bot app.py # Entrypoint, event/action handlers, starts poller blocks.py # Block Kit message builders config.py # Environment variable config channel_store.py # Persist registered channel IDs to SSM schedule_store.py # SSM-backed auto-approve schedule command_parser.py # Parse autoapprove chat commands poller.py # Background polling + proactive message posting privman_client/ # PrivMan API client library client.py # PrivManClient (auth, pending, approve, deny) models.py # ApprovalRequest dataclass exceptions.py # Custom exceptions tests/ # Unit tests test_command_parser.py # Tests for command parsing and formatting test_schedule_store.py # Tests for should_auto_approve() logic Dockerfile # Container image for ECS Fargate task-definition.json # ECS Fargate task definition requirements.txt # Python dependencies channels.json # Channel configuration manifest.json # Slack app manifest

Get Started

  1. Create a Slack App

    Go to api.slack.com/apps, create a new app from scratch, and select your workspace.

  2. Enable Socket Mode

    Toggle Socket Mode on and generate an App-Level Token with the connections:write scope. This becomes your SLACK_APP_TOKEN.

  3. Configure Bot Scopes and Events

    Add bot scopes: app_mentions:read, chat:write, im:history, users:read. Subscribe to app_mention and message.im events. Enable Interactivity.

  4. Install and Get Tokens

    Install the app to your workspace and copy the Bot User OAuth Token (SLACK_BOT_TOKEN).

  5. Configure Environment

    Set your Privilege Manager credentials and Slack tokens in .env.

    cp .env.example .env
  6. Run the Bot

    Install dependencies and start the bot locally, or deploy to AWS ECS Fargate for 24/7 operation (~$9/month).

    pip install -r requirements.txt && python -m slack_bot.app
  7. Register a Channel

    Add the bot to a Slack channel and @mention it. The bot responds with a welcome message and starts posting approval cards.