While implementing Central Finance, tons of notes need to be implemented. Fetching them from the service marketplace takes a long time, even though it follows a simple pattern:  https://launchpad.support.sap.com/#/notes/<note_number>
Just the opportunity I was looking for to build upon fellow Mentor Chris Kernaghan’s idea to use Slack and AWS Lambda, as presented at TechEd.


First, let’s visualize what we’re talking about:
Slack is your user interface. If you’re not already familiar with the real-time messaging application, get out from under your rock and visit http://www.slack.com/
At the other end, Amazon Web Services (AWS) Lambda is an event-driven and serverless computing platform that enables you to run code without having to worry about scale and only pay for the run time. More info here: https://aws.amazon.com/lambda/
In the middle, AWS API Gateway serves as a security and dispatcher platform. Learn more at: https://aws.amazon.com/api-gateway/

What you will need

Let’s get started. Here is what we need:
  • A Slack account (with configuration rights)
  • An AWS account
  • About 30 minutes!
Now, follow the steps below in the specified order. It might seem confusing because we cannot complete any configuration without starting the other to make sure the services get to know each other.
From a high level, the steps are as follows:
  1. Slack: create a slash command; collect a security token
  2. AWS IAM: create a user; collect an Access Key ID and Secret Key
  3. Command Line: encrypt the security token with the access key + secret key
  4. AWS Lambda: create the function
  5. Slack: link slash command to AWS
  6. AWS Lambda: link to SAP notes

Step 1: Slack Slash Command

Go to https://<your_account>.slack.com/apps/manage/custom-integrations, click on “Slash Command” and press the “Add Configuration” button.


List of Custon Integrations Source: Slack

Add Configuration button. Source: Slack
For now, only enter in the command field /sapnote and collect the Token number. Note that the URL field is still empty. Make sure to save your incomplete configuration.
Get the token for your new slash command. Source: Slack

Step 2: Create an AWS User

In order to communicate with the AWS API Gateway, the Slack token needs to be encrypted in 64-bit. Not so surprisingly, this is most complicated part of this process, especially if it’s the first time.
Let’s first download and setup the AWS Command Line interface from here (You will need to reboot your computer!): https://aws.amazon.com/cli/

In your AWS account, go to the Identify & Access Management (IAM):


AWS Identity & Access Management and User Creation. Source: Amazon Web Services

There, create a new user. And here comes a critical part: you need to show and store the security credentials, as these cannot be retrieved later on. I would recommend that you perform a copy / paste into a safe place rather that take a screenshot as below:


AWS IAM User Security Credentials. Source: Amazon Web Services.

Step 3: Encrypt the Token

Last check before we can start the encryption: in AWS, call the Lamda service. From the URL, note your region (e.g. us-east-1):


Now, you can call the command line and type

aws configure

You will be asked to enter the information you already collected:

  • AWS Access Key ID
  • AWS Secret Access Key
  • Default Region Name
  • Default Output Format (leave blank and press enter)
Next, still in the command line, type

aws kms encrypt --key-id alias/<KMS key name> --plaintext "<COMMAND_TOKEN> 

The result should look somewhat like this:

Last part: copy the encrypted token result (the part between quotes after CiphertextBlob”) and save it for later. Good news: We just finished the most complicated part! Let’s get to the fun part!

Step 4: Create the Lambda Function

In AWS Lambda, click on the “Get Started Now” or “Create a Lambda Function” button. AWS has already prepared several blueprints for you. Simply filter with keyword slack and select “slack-echo-command”:


Select the slack-echo-command blueprint. Source: Amazon Web Services
In the “Configure Triggers”, AWS will automatically create the API Gateway for you. Make sure you choose “Open” in the Security field, otherwise you won’t be able to call the function from Slack
Configure Triggers to the Lambda function. Source: Amazon Web Services
Next, configure your function with a Name, Description, and select Runtime version 4.3.
In the coding, enter your encrypted token from Step 3 by replacing <kmsEncryptedToken> at line 46:
Under the coding, leave the Handler name, select “Create new role from template” and enter a Role Name. Leave all other options untouched and click Next and then click Create function.
Congratulations, you have just created an API Gateway that triggers a Lambda function. Make sure to copy the service URL.
Final Lambda Configuration. Source: Amazon Web Services

Step 5: Link Slack with AWS

We’re almost there: go back to the Slack configuration for your slash command and paste the link to the Lambda function into the URL field and save. 
Ready to test? Open your slack application. In any conversation (I prefer the slackbot one for tests), enter:

/sapnote 2345678

You should receive something like this:

Initial tests in Slack. Source: Slack

Step 6: Link to SAP Notes

So far, we have connected Slack to AWS API Gateway to AWS Lambda. However, the current platform is barely an echo. This might not look like much, but it’s actually 95% of the job. Any developer with some NodeJS knowledge can now have fun with it. Let’s get the slash command to return a link to an SAP note.
Open the AWS Lambda function,  comment the callback function and create a new one:
callback(null, `:scroll: <https://launchpad.support.sap.com/#/notes/${commandText}|SAP Note Search: ${commandText}>`); 

Don’t forget to save your changes in AWS and test in Slack by entering command:

/sapnote 2345678

Result should look like this, with a link to


Final Tests in Slack. Source: Slack


Hopefully you’ve made it so far without any issue, but that was not my case. I found the following issues and solutions (feel free to ask your questions in the comments and I’ll try to update this list).

Token has not been set


This happens when you have not entered correctly the encrypted token in the lambda function. Search for const kmsEncryptedToken and make sure you have entered the encrypted token key (212 characters between single quotes).

Invalid request token


This one has nothing to do with the Slack token. It happens when you have not set the API Getaway security to Open. Therefore, it is expecting an AWS security token. Go back to the API Gateway and make sure that the Security is set to Open. You may have to deploy the API again.

Any logs?


For debugging, it is always useful to get access to the log files. In the AWS Lambda function, select the monitoring tab. At the top right, you can follow the link to “View logs in Cloudwatch”. This will show you all the log streams. In the coding, use function console.log() to add traces in the Cloudwatch log.


The example above might not be impressive as such, but showcases nicely how to setup the right platform in a very short time frame. You can now start building on this to create more fancy interaction. I, for one, can’t wait to see what you’ll come up with.

I highly recommend Paul Modderman’s excellent blog posts on Slack / SAP integration:


A final note:  please be aware that every time you run your script, AWS will charge you for every time you run your script. Even if the first 1 million requests per month are free and $0.20 for every subsequent 1 million requests, I can take no responsibility of any unforeseen costs incurred. More details here: https://aws.amazon.com/lambda/pricing/
To report this post you need to login first.


You must be Logged on to comment or reply to a post.

Leave a Reply