Required permissions Non-supported operations Using commands Running commands Configuring commands support on an existing chat channel Enabling multiple accounts to use commands

Running AWS CLI commands from chat channels

You can run commands using AWS CLI syntax directly in chat channels. AWS Chatbot enables you to retrieve diagnostic information, configure AWS resources, and run workflows.

When you interact with AWS Chatbot in your chat channels, it prompts you for any missing parameters before it runs the command.

Topics

Required permissions
Non-supported operations
Using commands
Running commands
Configuring commands support on an existing chat channel
Enabling multiple accounts to use commands

Required permissions

To perform actions in your chat channels, you must first have the appropriate permissions. For more information about AWS Chatbot's permissions, see Understanding permissions.

Non-supported operations

AWS Chatbot doesn't support running commands for operations in the following JSON policy:


{
  "Statement": [
    {
      "Action": [
        "appsync:ListApiKeys",
        "chatbot:*",
        "codecommit:GetFile",
        "codecommit:GetCommit",
        "codecommit:GetDifferences",
        "cognito-idp:*",
        "cognito-identity:*",
        "connect:GetFederationToken",
        "dynamodb:BatchGetItem",
        "dynamodb:GetItem",
        "ec2:GetPasswordData",
        "ecr:GetAuthorizationToken",
        "ecr:GetLogin",
        "gamelift:RequestUploadCredentials",
        "gamelift:GetInstanceAccess",
        "identitystore:*",
        "lightsail:DownloadDefaultKeyPair",
        "lightsail:GetInstanceAccessDetail",
        "lightsail:GetKeyPair",
        "lightsail:GetKeyPairs",
        "lightsail:UpdateRelationalDatabase",
        "iam:*",
        "kms:*",
        "redshift:GetClusterCredentials",
        "sdb:*",
        "secretsmanager:*",
        "sso:*",
        "sso-admin:*",
        "sso-oidc:*",
        "storagegateway:DescribeChapCredentials",
        "sts:*",
        "s3:GetObject",
        "s3:HeadObject",
        "s3:PutObject",
        "s3:GetBucketPolicy",
        "snowball:GetJobUnlockCode"
      ],
      "Effect": "Deny",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}

Using commands

After you set up the AWS Chatbot, you run commands with the following prefix:

@aws

Note

If you are using Slack and AWS is not listed as a valid member of the channel, you need to add the AWS Chatbot app to the Slack workspace and invite it to the channel. For more information, see the Getting started guide for AWS Chatbot.

The AWS Chatbot command syntax is the same as you would use in a terminal:

@aws service command --options

Note

You can specify parameters with either a double hyphen (--option) or a single hyphen (-option). This allows you to use a mobile device to run commands without running into issues with the mobile device automatically converting a double hyphen to a long dash.

Note

AWS CLI commands run from AWS Chatbot have an execution timeout of 15 seconds. If a command response is not received within 15 seconds, you receive a timeout error message. If you have longer running jobs, such as AWS Lambda functions, you should invoke them asynchronously from AWS Chatbot. The maximum allowable Lambda function execution timeout is 900 seconds (15 minutes). For more information about asynchronous invocation, see Asynchronous invocation in the AWS Lambda Developer Guide.

For example, enter the following read-only command to view a list of your Lambda functions:

@aws lambda list-functions

Enter the following commands to list and chart CloudWatch alarms:

@aws cloudwatch describe-alarms --state ALARM

You can also use CLI commands to change you AWS resources. For example, enter the following command to change your Kinesis shards:

@aws kinesis update-shard-count --stream-name samplestream --scaling-type UNIFORM_SCALING --target-shard-count 6

You can enter a complete AWS CLI command with all the parameters, or you can enter the command without parameters and AWS Chatbot prompts you for missing parameters.

For more information on commonly used CLI commands, see Using CLI commands with AWS Chatbot - Common use cases. For an exhaustive list of CLI commands, see the AWS CLI Command Reference.

Note

If you find you are unable to run commands, you may need to switch your user role or contact your administrator to find out what actions are permissible.

The following limitations apply to running AWS CLI commands in your chat rooms:

You may experience some latency when invoking commands through AWS Chatbot.
Regardless of their AWS Chatbot role permissions, users cannot run IAM, AWS Security Token Service, or AWS Key Management Service commands within chat channels.
Amazon S3 service commands support Linux-style command aliases such as ls and cp. AWS Chatbot does not support Amazon S3 command aliases for commands in Slack.
Users cannot display or decrypt secret keys or key pairs for any AWS service, or pass IAM credentials.
You can't use AWS CLI command memory (that is, recent commands appear when the user presses up arrow or down arrow keys) in the chat channel. You must enter, or copy and paste each AWS CLI command in the chat channel.
You can create AWS support cases through your chat channels. You cannot add attachments to these cases from the chat channel.
Chat channels do not support standard AWS CLI pagination.

Running commands

AWS Chatbot tracks your use of command options and prompts you for any missing parameters before it runs the command you want.

For example, if you enter @aws lambda get-function with no further arguments, the Chatbot requests the function name. Then, run the @aws lambda list-functions command, find the function name you need, and re-run the first command with the corrected option. Add more parameters for the initial command with @aws function-name name. AWS Chatbot parses your commands and helps you complete the correct syntax so it can run the complete AWS CLI command.

Getting help for AWS services

To get help about commands for any AWS service, enter @aws followed by the service name, as shown following:

@aws lambda --help

@aws cloudwatch describe-alarms --help

Formatting data and viewing logs

To ensure data from Amazon CloudWatch alarms is correctly formatted, attach the Lambda-Invoke Command Permissions and ReadOnly Commands Permissions IAM policies to the role in the AWS Chatbot console for users in the chat channel.

Run the cloudwatch describe-alarms command to show CloudWatch alarms in chart form as follows:

@aws cloudwatch describe-alarms

You can change the command to only include notifications in the alarm state, filtering out other notifications, by adding the following option:

@aws cloudwatch describe-alarms --state ALARM

To see alarms from a different AWS Region, include that Region in the command:

@aws cloudwatch describe-alarms --state ALARM --region us-east-1

You can also filter AWS CLI output by using the optional query parameter. A query uses JMESPath syntax to create an expression to filter your output to your specifications. For more information about filtering, see Filtering AWS CLI output in the AWS Command Line Interface User Guide. For more information about JMESPath syntax, see their website. The following example shows how to limit AWS CLI output for the cloudwatch describe-alarms command to just the alarm name, description, state, and reason attributes.



@AWS cloudwatch describe-alarms --query 
 @.{MetricAlarms:MetricAlarms[*].
 {AlarmName:AlarmName, AlarmDescription:AlarmDescription, StateValue:StateValue, 
 StateReason:StateReason, Namespace:Namespace, MetricName:MetricName, 
 Dimensions:Dimensions, ComparisonOperator:ComparisonOperator, Threshold:Threshold, 
 Period:Period, EvaluationPeriods:EvaluationPeriods, Statistic:Statistic}} 
 --region us-east-2

Displaying Amazon CloudWatch Logs information

CloudWatch alarm notifications show buttons in chat client notifications to view logs related to the alarm. These notifications use the CloudWatch Log Insights feature. There may be service charges for using this feature to query and show logs.

You can view CloudWatch logs, including error logs, that are associated with the CloudWatch alarm by choosing Show logs at the bottom of the alarm notification. AWS Chatbot displays the first 30 log entries from the start of the alarm evaluation period. AWS Chatbot uses CloudWatch Log Insights to query for logs. The query results contain a link to the CloudWatch Log Insights console, where a user can dive deeper into logs details.

Choose Show error logs to filter search results to log entries containing Error, Exception, or Fail terms.

The log shows a command that a user can copy, paste, and edit to re-run the query for viewing logs.

Creating an AWS Support case

The AWS Support Command Permissions policy appears in the AWS Chatbot console when you configure resources. It's provided in the AWS Chatbot console so that you can set up new roles for users in your chat client to create AWS support tickets through their chat channels.

You can quickly create a new AWS support case by entering the following:

@aws support create-case

Follow the prompts from AWS Chatbot to fill out the support case with its needed parameters. When you complete the case information entry, AWS Chatbot asks for confirmation. You will not be able to use file attachments.

Note

AWS Chatbot requires UpperCamelCase for the --query parameter. In UpperCamelCase, the first letter of every word is capitalized.

For any AWS Chatbot role that creates AWS Support cases, you need to attach the AWS Support command permissions policy to the role. For existing roles, you will need to attach the policy in the IAM console.

In the IAM console, this policy appears as AWSSupportAccess.

It is an AWS managed policy. Attach this policy in IAM to any role for AWS Chatbot usage. You can define your own policy with greater restrictions, using this policy as a template.

The Support Command Permissions policy applies only to the AWS Support service.

The policy's JSON code is shown following:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "support:*"
            ],
            "Resource": "*"
        }
    ]
}

Configuring commands support on an existing chat channel

If you have existing chat channels using the AWS Chatbot, you can reconfigure them in a few steps to support the AWS CLI.

Open the AWS Chatbot console.
In the Configured Clients page, select the chat client. If you have only one, its contents (the list of chat channels) appear on the page.

Note
In this procedure, we assume use of an existing AWS Chatbot chat channel configuration. The process is very similar if you need to create a new chat client configuration by choosing Configure new client.
Choose a channel from the Configured channels list, and choose Edit. The selected channel can be public or private.
Define your Role setting by choosing a Channel role or User roles. For more information about role types, see Role setting:
Channel role
For Role setting, choose Channel role.
For Channel role, choose Create new role. If you want to use an existing role instead, choose Use an existing role. To use an existing IAM role, you will need to modify it for use with AWS Chatbot. For more information, see Configuring an IAM Role for AWS Chatbot.
For Role name, enter a name. Valid characters: a-z, A-Z, 0-9, .\w+=,.@-_.
For Role policy template, choose Read Only command permissions and Lambda-Invoke command permissions.

Note

If you plan to have users of the role submit AWS Support cases, also attach the AWS Support command permissions policy.
If you want the role to allow users to manage incidents, add the Incident Manager Permissions policy.
User roles
For Role setting, choose User roles.
Select the policies that will make up your channel guardrail policies. Your channel guardrail policies control what actions are available to your channel members.

Note
If you initially had permission to run Lambda invoke, it is contained in All actions permitted.

Note
To run most CLI commands from your Slack channel, ensure you select All actions permitted.

Note
You do not need to edit or change the Amazon SNS topics configuration for the chat channel.
Choose Save.

You can use the IAM console to modify an existing IAM role. By simply attaching the three additional AWS Chatbot policies to the IAM role, users of that role can immediately begin using commands in the chat channel. To do so, see Configuring an IAM Role for AWS Chatbot.

Important

If you have a large number of chat channels and you want to have the same command permissions across multiple channels, you can apply the configured AWS Chatbot role to any of your other chat channels without further modification. The IAM policies will be consistent across chat channels that support commands in your AWS Chatbot service.

Enabling multiple accounts to use commands

You can configure AWS Chatbot for multiple AWS accounts in the same chat channel. When you work with AWS Chatbot for the first time in that channel, it will ask you which account you want to use. AWS Chatbot will remember the account selection for 7 days.

To change the default account in the channel, enter @aws set default-account and select the account from the list.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Performing actions

Asking AWS Chatbot questions