Configuring login policy for Slack integration

Last updated: September 16, 2025

When setting up Slack integration with Spacelift, you may encounter authentication errors if your existing login policy doesn't properly handle Slack requests. This typically happens when you have custom login policies that conflict with Slack authentication.

Understanding the issue

If you have an existing login policy (such as one for GitHub authentication) and try to add Slack integration, you may see authentication errors in Slack. This occurs because your current policy may be denying Slack requests or not providing the necessary permissions for Slack to interact with your spaces.

Solution

To allow Slack integration while maintaining your existing authentication rules, you need to modify your login policy to:

  1. Allow requests from your Slack workspace

  2. Provide appropriate space permissions for Slack

  3. Ensure your deny rules don't block Slack requests

Here's an example policy that handles GitHub teams, API users, and Slack integration:

package spacelift

teams := input.session.teams

# GitHub team permissions
admin { teams[_] == "DevOps" }
allow { teams[_] == "AllDevs" }

# Allow Slack from your workspace (replace with your Slack team ID)
allow { input.slack.team.id == "YOUR_SLACK_TEAM_ID" }

# Deny non-members but don't block Slack requests
deny { not allow }

# Space permissions for GitHub teams
space_read[space.id] {
  space := input.spaces[_]
  teams[_] == "AllDevs"
}

space_write[space.id] {
  space := input.spaces[_]
  teams[_] == "AllDevs"
}

# Space permissions for Slack - required for Slack to see and interact with stacks
space_read[space.id] {
  space := input.spaces[_]
  input.slack.team.id == "YOUR_SLACK_TEAM_ID"
}

space_write[space.id] {
  space := input.spaces[_]
  input.slack.team.id == "YOUR_SLACK_TEAM_ID"
}

# API user permissions
allow {
  input.session.login == "api::your_api_key"
}

Key points to remember

  • Replace placeholder values: Make sure to replace YOUR_SLACK_TEAM_ID with your actual Slack team ID

  • Space permissions are crucial: Slack needs space_read permissions at minimum to see stacks in channels. Add space_write if you want Slack to perform actions like plan/apply

  • Simplify deny rules: Using deny { not allow } is often cleaner than complex deny conditions that might accidentally block Slack

  • Test your policy: Use the policy simulator to verify that both allow and deny return the expected values for Slack requests

For more detailed information about Slack integration login policies, refer to the official documentation.