I want to make an http request from bot composer but one thing to pass while making http request needs to be kept a secret. So I want to fetch that value from key vault. Can someone tell how to integrate bot composer with key vault.
I'll assume you are using Azure to run the bot, so I'll answer with that in mind. Otherwise let me know and I can expand the answer.
Take the secret from the settings of the bot. It's just like how you access turn.activity.text, but using settings scope instead of the turn scope. So: settings.apiSecret.
Local Env
Now in development, local environment, you can just put the secret in the settings file.
In Azure
When you deploy to your azure app service, you can use Key Vault References in the Configuration blade. Remember you need to give the app service Secret Get permission to that Key Vault.
This is the easiest way since you don't need to write code to query KeyVault via the API.
From DevOps to Azure
There's a way to get the secret in the pipeline, but I believe this is not something you need in this scenario, you just want to set the variable in the App Service. So in the App Service Deployment task, under Application and Configuration settings -> App Settings: you can add the same thing you'd put in the Configuration blade in the azure portal.
So you can add to the textbox: -apiSecret #Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/) or click on the button with the elipsis on the right and enter it on the form
Related
I'm trying to deploy my application built on the team toolkit scaffolding for multi-tenant. I created a CDN endpoint and updated my state JSON object to reflect the new front-end endpoint. After provisioning, deploying and making the account setting change to multi-tenant. I uploaded my app to our company tenant and I'm getting the following error in my tab configuration where the user is supposed to be able to log in.
OutOfRangeInputOne of the request inputs is out of range. RequestId:47fca9cc-f01e-004a-7a11-e434e9000000 Time:2022-10-19T23:24:05.3740757Z
Is there any workaround to get a team's toolkit app to be multi-tenant supported? I am trying to get this app validated for the teams store.
You can follow the steps here to enable multi-tenant in Teams Toolkit:
Provision your Tab project.
Open .fx\states\state.{envName}.json and note the value ofdomain under fx-resource-front-hosting.
Create Azure CDN and CDN endpoint and point to frontend storage. Note you need to choose endpoint type as Storage static website when creating your CDN.
Open templates\azure\provision\azureStorageTab.bicep file, and find the following two lines:
output endpoint string = 'https://${siteDomain}'
output domain string = siteDomain
and replace with:
output endpoint string = 'https://sample.azureedge.net'
output domain string = 'sample.azureedge.net'
Open templates/appPackage/aad.manifest.json, find signInAudience and set value as AzureADMultipleOrgs
Open .fx/configs/azure.parameter.${env}.json and find the following line:
"m365TenantId": "{{state.fx-resource-aad-app-for-teams.tenantId}}",
and replace with:
"m365TenantId": "common",
Run Provision and Deploy in your project.
For a custom integration, we are looking an a scenario where we want to save some access keys in private variables during transaction. Currently we are planning on using heroku as platform and node.js as the framework. Now we don't want to store these variables inside either node.js or heroku, as it would still be accessible from outside slack. Do we have any mechanism where we can store such values inside the slack framework and then access them? Using slack user datatable or something similar?
Slack does not have a mechanism to store credentials.
As a workaround you can post the credentials to some private channel and can retrieve it from there. But it is not recommended.
Ideally you should store these credentials to a secure encrypted place.
May be you should use some kind of secure database/cache/cloud vault.
I'm doing research for a new Slack app that will require the admin adding the app to paste an API token and request url for the third-party API which the app will call. I can't find anywhere in the Slack API docs to store these settings on an app-wide basis. Can this be done via environment variables of some type?
Slack Apps don't really store settings like that. You would need to persist them in a data store of your choice, like MySQL, Dynamo etc and access them from your code.
I'm developing a slack app, and I'd like to allow the users who uses my app to customize specific settings, e.g. 3rd-party integration passwords.
How can this be done?
If you app needs to manage custom user settings you need to build that yourself.
UI to show and modify settings
Storage to store settings
You can use any approach for that, e.g. build the UI part within Slack (a Slack Dialog would work nicely) or make an external website.
You need to store state of the user settings someplace. I agree with Erik that you can build the UX within slack.
I don't think Slack has a great way to do store state right now, though I suppose you could create some hacky way of doing it (create a private slack channel for each user with a random name and store state in there).
I'd suggest using either a real database, or a service like Transposit (full disclosure, I work there). With the former, you could use something like Heroku Postgres, and host an API on Heroku. With the latter, you could use the Slack API combined with Dynamodb or some other database.
I have a github page for my organization where I would like to call data from a 3rd party api where I need an auth token. Can I publish this github page without having the auth token displayed on the public repo?
In short, no. If your GitHub repo is public, all its assets are public. You can make the repo private and it will still publish on GitHub Pages if named with the username.github.io convention or if it has a gh-pages branch. While that's an option, that's not necessarily the right thing to do.
If your key is in your GitHub Pages repo, it sounds like it's used for client-side API calls in JavaScript. If so, your auth token is publicly visible whether it's in your public repo or sent in your client-side files to the browser. This is usually fine. The third-party API might have generated the auth token based on your website's domain, and restrict calls using that token to pages originating on your domain. Otherwise, they might require the auth token only for logging requests and monitoring usage.
If the auth token is truly meant to be private, then you may need to write private server-side code to call the third-party API. Your GitHub Pages site could then hit your service for the data it needs. I've had to do that before where the web API had security concerns, but I still needed to retrieve non-sensitive data from the client-side.
In short yes, you can store the auth token in an environment variable and use gitignore on the .env file to hide the auth token in the public repo. Refresh the auth token on the client-side API then push changes to the public repo and redeploy your updates to the gh-pages branch. I've provided an example of this process below.
NOTE
If you committed a password or API key, change it! If you committed a key, generate a new one. Reference general best practices on GitHub.
If using React for your app, SKIP steps 1 and 2 as React already comes pre installed with custom environment variables. Reference Create React App.
The full explanation can be found below:
1. Install dotenv dependency in application root directory (will be using Node.js for this example) Reference npm, run command:
npm install dotenv
2. Add code below to import statements in index.js file.
require('dotenv').config();
3. Create .env file in root directory of app and add auth token as variable. Note when using React you must prepend variable name with REACT_APP_
AUTH_TOKEN=987asc8iks0lenv7
4. Use console.log() on process.env to check if the variable was stored correctly.
console.log(process.env.AUTH_TOKEN);
5. Update all references to auth token in application code.
OLD VARIABLE: const auth_token = '987asc8iks0lenv7';
NEW VARIABLE: const auth_token = process.env.AUTH_TOKEN;
6. Create and add .gitignore file to the root directory of application and add code below to have git ignore the .env file where the auth token is stored.
.env
7. Add, commit and push updates to application master branch on GitHub.
8. To deploy or redeploy updates to gh-pages branch. Use command below.
npm run deploy
The answer of Ashen won't work for this use case. Secrets configured through Github are only available to Github Actions (see documentation), and because of that - in practice - mostly to CI/CD-like applications. Not for e.g. client-side API calls.
The GitHub Actions should facilitate your need.
You can add secrets using the visual workflow editor or the repository settings. Once you create a secret, GitHub encrypts the value immediately and you can no longer view or edit the value. Anyone with write access to a repository can create and use secrets in that repository.
However, the GitHub Actions is currently available in public beta and therefore should be avoided for high-value workflows and content during this beta period.