Slack App
Slack Approval Workflow Integration with the Keeper Vault and Endpoint Privilege Manager
This integration is currently in PUBLIC PREVIEW. Please open an issue with feedback or feature requests.
Overview
The Keeper Slack App helps achieve zero standing privilege and streamlines credential workflow requests and approvals directly from Slack. The customer hosts the Slack agent and Commander Service Mode, ensuring that zero knowledge is maintained with end-to-end encryption.
This document describes the installation of the Keeper Slack App using a streamlined setup method that requires the use of Keeper Secrets Manager. If you don't have a Secrets Manager or KeeperPAM license, please contact your Keeper account manager.
Features
Record Access Requests
Request access to specific Keeper records with justification, custom permissions and access time limits. This includes standard vault records and KeeperPAM resources.
Folder Access Requests
Request access to specific Keeper Shared Folders with justification, custom permissions and access time limits.
One-Time Share Requests
Request for a one-time share, password reset or other dynamic password generation with a self-destructing share link. The one-time share can also be editable, offering bi-directional sharing capabilities.
Endpoint Privilege Manager Approvals
Keeper Endpoint Privilege Manager (KEPM) just-in-time elevation approvals in realtime through a dedicated Slack channel.
SSO Cloud Device Approvals
Perform approvals of SSO Cloud devices directly through Slack, if the Keeper Automator service is not deployed.
Prerequisites
System Requirements
To maintain zero knowledge and full end-to-end encryption, the Keeper Slack App and Commander Service Mode containers are hosted by each customer on their own infrastructure to interact with the Slack cloud service. Commander is used locally to help set everything up.
Linux VM
Any VM in the cloud or on-prem which can establish https/443 outbound connections to Slack and Keeper services.
Docker
Docker is the recommended method for setting up the service
Keeper Commander
Service Mode running and accessible
Keeper Secrets Manager
Either Keeper Secrets Manager or KeeperPAM license used for retrieving the secret configuration data
Slack Workspace
Requires admin access to install and configure apps
Important: The slack-app-setup command requires Keeper Secrets Manager (KSM) to be activated. If KSM is not available, please contact your account manager.
Setup Steps
In the below setup instructions, we'll be using Commander and Slack-App Docker Images (keeper/commander and keeper/slack-app). This integration also leverages Keeper Secrets Manager to secure the configurations used by the services.
Follow these five steps to configure the Slack app:
Step 1. Create Slack App
In this section, you will create the Slack App in your Slack workspace as the administrator and gather the necessary configuration values.
As the Slack Admin, go to api.slack.com/apps
Click Create New App → From an app manifest
Select your workspace
Paste the JSON content below into the manifest file
Review setting of the slack app and create it.
Go to Basic Information → Display Information and upload a Keeper icon for your app's profile picture. Below is a 512x512 Keeper icon that can be downloaded for use.
On the left side, click on Basic Information → App-Level Tokens → Generate Token and Scopes, and generate an app-level token called "keeper-slack-app" with the
connections:writescope. Save the token to use as the "App Token" in the next step.
On the left side, click on Install App, click Install to [Workspace], then save the Bot User OAuth Token for the next step.
After creating the app, collect these credentials:
App Token
Basic Information → App-Level Tokens → Generate
Bot Token
OAuth & Permissions → Bot User OAuth Token
Signing Secret
Basic Information → App Credentials
Save the Generated App Token, Bot Token and Signing Secret for Step 4.
Step 2. Create Approvals Channel
In your Slack workspace, create a Private channel (e.g.,
#keeper-vault-approvers)Invite the Keeper bot to the approval channel created:
Option 1. In the approvals channel, type /invite @Keeper Security.
Option 2. Click the channel name → Settings → Integrations → Add an App → Search for Keeper Security → Add
Copy the Channel ID (right-click channel → View Details → copy ID at bottom)
Save the Channel ID for Step 4.
Step 3. Commander Service Mode Setup
To enable the service to authenticate and execute commands within the Keeper tenant, an authorized Keeper Commander configuration file must be created. This configuration can be generated on a host computer or workstation.
Install Keeper Commander locally on your machine
If required, create a new Keeper service account dedicated to this integration, ensuring it has access to the relevant records and folders and the ability to perform record and folder sharing.
Login to Commander with the Keeper Service account
([email protected])
Complete the authentication process including any 2FA requirements. Once you are fully authenticated, proceed to Step 4.
Step 4. Run Slack App Setup Command
The slack-app-setup command generates a docker-compose.yml file which you will use to operate the Slack App and Commander Service Mode services.
From the Commander shell, type:
Command Line Options
The slack-app-setup command supports the following optional flags for customization:
--folder-name (optional)
Name for the shared folder
Commander Service Mode - Slack App
--app-name (optional)
Name for the Secrets Manager app
Commander Service Mode - KSM App
--config-record-name (optional)
Name for the Commander config record
Commander Service Mode Docker Config
--slack-record-name (optional)
Name for the Slack config record
Commander Service Mode Slack App Config
--config-path (optional)
Path to config.json file
~/.keeper/config.json
--timeout (optional)
Device timeout setting
30d
--skip-device-setup (optional)
Skip device registration if already configured
false
Example with Custom Names:
The command will guide you through the following prompts:
Phase 1: Docker Service Mode Setup
It automatically configures KSM and uploads the config file required for setting up service mode via Docker.
Service Configuration
Configure the Commander Service port:
Port
Port number for Commander Service Mode (1024-65535).
8900
Tunneling Configuration (Optional)
If external access is required, configure one of the following:
Ngrok Auth Token
Your ngrok authentication token for public URL generation.
Ngrok Custom Domain
Custom ngrok domain (e.g., myapp.ngrok.io).
Cloudflare Tunnel Token
Cloudflare tunnel token for public URL generation.
Cloudflare Custom Domain
Your Cloudflare domain (e.g., slack.company.com).
Ngrok and Cloudflare are mutually exclusive. Choose one if needed. This is NOT a requirement for the Slack App. But if you are using other integrations such as our Jira app, you might need to set up a cloud tunnel.
Phase 2: Slack App Integration Setup
Enter the Slack credentials obtained from Steps 1 and 2:
Slack App Token (required)
The xapp- token from Step 1. Must be at least 90 characters.
xapp-1-A0XXXXX-...
Slack Bot Token (required)
The xoxb- token from Step 1. Must be at least 50 characters.
xoxb-1234567890-...
Slack Signing Secret (required)
The signing secret from Step 1. Must be exactly 32 characters.
a1b2c3d4e5f6...
Approvals Channel ID (required)
The channel ID from Step 2.(Required)
C0XXXXXXX
Enable PEDM? (optional)
Enable Endpoint Privilege Manager approvals (y/n).
y
PEDM Polling Interval (optional)
How often to check for PEDM requests in seconds. Default: 120.
120
Enable Device Approvals?(optional)
Enable SSO Cloud device approvals (y/n).
y
Device Approval Polling Interval (optional)
How often to check for device approvals in seconds. Default: 120.
120
In order to process Endpoint Privilege Manager approvals and SSO Cloud approvals, the Slack App service user must have administrative permissions "Manage Endpoint Privilege" and "Managing the Keeper Admin Console.
After the command executes successfully, it automatically performs the following actions:
Configures persistent device authentication
Creates a Shared Folder named “Commander Service Mode – Slack App”
Creates a KSM application with access to the shared folder
Creates a client device and generates a Base64-encoded configuration value
Creates a Docker Config record and uploads the
config.jsonfile from the.keeperdirectoryCreates a Slack App Config record containing the Slack App credentials.
Upon successful execution, a
docker-compose.ymlis generated containing both the Commander Service Mode and Slack App services, ready for deployment.
Once setup is complete, ensure that the Commander session is terminated and the local .keeper/config.json file is deleted to prevent device token conflicts.
Step 5. Deploy to Docker Environment
In this section, you will set up a Docker Compose environment on a Linux virtual machine or host where the Commander Service will run.
Launch a Linux VM or prepare a Linux host and connect to it via SSH.
Install
dockeranddocker-compose(refer to the installation instructions here)Transfer the generated
docker-compose.ymlfile from Step 4 to the target Linux server.
Start up the services on the host machine:
Service Startup Sequence
The services start sequentially:
Commander Service starts first, generates an API key, and saves it along with the service URL to the vault record
Health checks validate the Commander service is running
Slack App starts after health checks pass, automatically retrieving the API key and service URL from the vault record
Verify Successful Startup
Monitor the logs to make sure everything starts up.
Check container status:
View Commander Service logs:
The API key is redacted in Docker logs for security. Both services communicate securely via the shared vault record.
View Slack App logs:
If everything is successful, you'll see the messages below:
Command Reference for Requesting User
/keeper-request-record
Request access to a specific Keeper record.
Syntax:
/keeper-request-folder
Request access to a shared folder.
Syntax:
/keeper-one-time-share
Request a one-time share link for a record.
Syntax:
Screenshots
The below screenshots demonstrate the core features of the Keeper Slack App.
Interacting with the Slack App for Requests
Requesting Access to a Record (no UID provided)
Requesting Access to a Record (with UID provided)
Record Access Request - Admin View
Requesting Access to a Folder (with UID provided)
Folder Access Request - Admin View
One-time Share Request for Password Reset
One-Time Share - Admin View with New Record Creation
One-Time Share - Admin View with Search for Existing Record
Endpoint Privilege Manager - Approval for Elevation
SSO Cloud Device Approval - Admin View
Updates
Updating the Commander Service Mode and Slack app Container
To update to the latest version of Commander or the Slack App, follow the steps below to stop the service, update the containers and start up the new containers.
Troubleshooting
Startup Errors
Commander Service Mode is prompting for master password
Multiple config.json files are attached to the Vault record
Follow steps 4-5 to run the slack-app-setup command with new folder name again to create a new JSON config file.
[WARN] Warning: Cannot reach Keeper Service Mode
Service Mode not running or wrong URL
Verify the service URL in the vault record is as expected
invalid_auth
Wrong Slack bot token
Verify bot_token starts with xoxb- (not xapp- or xoxp-)
Socket Mode not enabled
App-level token missing or wrong
Generate App-Level Token with connections:write scope
Slack API Errors
channel_not_found
Bot not invited to approvals channel
Run /invite @Keeper Commander in the channel
not_in_channel
Bot removed from channel
Re-invite the bot to the channel
missing_scope
Bot lacks required permissions
Reinstall app; ensure scopes: chat:write, commands, im:write, users:read, channels:read
invalid_blocks
Malformed Block Kit message
Check logs for specific block error; usually a data formatting issue
user_not_found
Invalid Slack user ID
User may have been deactivated from workspace
Service Mode Errors
Failed to submit command: HTTP 403
API key invalid or missing
Verify api_key in config vault record matches service mode
Failed to submit command: HTTP 404
Wrong API endpoint version
Use V2 endpoint: /api/v2/ (not /api/v1/)
Failed to submit command: HTTP 405
Using wrong HTTP method
Ensure Service Mode is running with queue enabled
Command timed out or failed
Service Mode overloaded or command not registered
Register command in Service Mode; increase timeout
No request_id received from API
Service Mode not using queue/async mode
Restart Service Mode with queue enabled (V2)
Access Grant Errors
Record Not Found
Invalid UID or record deleted
Verify the record UID exists in Keeper vault
Folder Not Found
Invalid folder UID
Verify the folder UID exists in Keeper vault
Invalid UID Type (record vs folder)
Used wrong command for item type
Use /keeper-request-folder for folders, /keeper-request-record for records
This user already has time-limited access...
Conflict with existing share
Revoke existing access first, then grant new permission
Share permissions require permanent access
Trying to use duration with Can Share/Edit & Share
Share permissions (Can Share, Edit & Share, Change Owner) are always permanent
User share...failed
Permission conflict on folder
User may have incompatible existing access; revoke and re-grant
Search & Modal Errors
No records found matching...
Search query too specific or no matches
Try broader search terms; check record exists in vault
Search command timed out
Service Mode slow or vault very large
Increase max_wait in _poll_for_result() or use more specific search
Error processing search modal submission
Modal data corrupted or expired
Close modal and try again; check logs for specific error
Modal shows "Searching..." forever
Poll result never returned
Check Service Mode logs; verify search command is registered
One-Time Share Errors
one-time share links can not be created for PAM records
Commander doesn't support
Request for non-pam records
Share link created but URL not found in response
Unexpected Service Mode response format
Check Service Mode version; verify one-time-share command registered
Failed to create one-time share
Record may not be shareable
Verify user has share permissions on the record
Record Creation Errors
Failed to create record
Missing required fields or command error
Ensure title, login, and password are provided
Record created but UID could not be retrieved
Search after creation failed
Record exists but search timed out; manually search for it
KEPM Errors
No data returned
KEPM feature not enabled
Enable KEPM in your Keeper enterprise settings. Ensure that your service user has necessary admin permissions.
KEPM sync failed
Service Mode can't reach KEPM server
Check network connectivity and KEPM configuration
Failed to approve/deny KEPM request
Request may have expired
Check if request is still pending; it may have auto-expired
References
Last updated
Was this helpful?