Local app works but deployed app fails with PermissionDenied error.

[djbensono]

The deno-slack versions

"deno-slack-sdk/": "https://deno.land/x/deno_slack_sdk@2.10.0/", "deno-slack-api/": "https://deno.land/x/deno_slack_api@2.4.0/",

Deno runtime version

deno 1.43.2 (release, x86_64-unknown-linux-gnu) v8 12.4.254.12 typescript 5.4.5

OS info

Ubuntu 22.04.4 LTS

Describe the bug

I have an app that uses environment variables within a user-defined module that is called from within a Slack function. My app works fine locally (slack run) however upon executing the function from a deployed app (slack deploy) I receive the following errors:

Caught error from user supplied module: PermissionDenied: Requires env access to "OAUTH_TENANT_ID", run again with the --allow-env flag
            at Object.getEnv [as get] (ext:runtime/30_os.js:102:10)
            at file:///var/task/functions/send_daily_events_message.js:5119:26

I am accessing the environment variables as follows:

import "std/dotenv/load.ts";

const TENANT_ID = Deno.env.get("OAUTH_TENANT_ID")!;
const CLIENT_ID = Deno.env.get("OAUTH_CLIENT_ID")!;
const CLIENT_SECRET = Deno.env.get("OAUTH_CLIENT_SECRET")!;

My slack.json file is as follows:

  "hooks": {
    "get-manifest": "deno run -q --config=deno.jsonc --allow-read --allow-net --allow-env --allow-sys https://deno.land/x/deno_slack_hooks@1.3.0/get_manifest.ts",
    "get-trigger": "deno run -q --config=deno.jsonc --allow-read --allow-net --allow-env https://deno.land/x/deno_slack_hooks@1.3.0/get_trigger.ts",
    "build": "deno run -q --config=deno.jsonc --allow-read --allow-write --allow-net --allow-run --allow-env --allow-sys https://deno.land/x/deno_slack_hooks@1.3.0/build.ts",
    "start": "deno run -q --config=deno.jsonc --allow-read --allow-net --allow-run --allow-env --allow-sys https://deno.land/x/deno_slack_runtime@1.1.1/local-run.ts",
    "check-update": "deno run -q --config=deno.jsonc --allow-read --allow-net https://deno.land/x/deno_slack_hooks@1.3.0/check_update.ts",
    "install-update": "deno run -q --config=deno.jsonc --allow-run --allow-read --allow-write --allow-net https://deno.land/x/deno_slack_hooks@1.3.0/install_update.ts",
    "doctor": "deno run -q --config=deno.jsonc --allow-read --allow-net https://deno.land/x/deno_slack_hooks@1.3.0/doctor.ts"
  },
  "config": {
    "trigger-paths": [
      "triggers/**/*.ts"
    ]
  }
}

[vegeris]

Hi there,

First please ensure that you've added the environment variables to your deployed app environment as it differs from how environment variables are accessed in a local-run environment

To access environment variables within a custom function, you'll want to use the 'env' context property as shown here

[djbensono]

Thanks, but I have previously added all required environment variables by using the slack var add command. Running slack env list shows me all required environment variables:

There are 7 variables stored in this environment

   ADMIN_EMAIL: ******
   CALENDAR_EMAIL: ******
   CHANNEL_ID: ******
   DAILY_SCHEDULE_START: ******
   OAUTH_CLIENT_ID: ******
   OAUTH_CLIENT_SECRET: ******
   OAUTH_TENANT_ID: ******

This appears to be a permissions to access environment variables error - not the fact that they are missing.

[filmaj]

@djbensono there is a slight misunderstanding here.

When deployed to Slack, the deno runtime does not get environment reading permissions. That is, if your deno code executes Deno.env.get, it will inevitably fail when slack deployed, because we explicitly prevent accessing them on Slack infra.

Instead:

1. Add the environment variables via slack var add (as you've done) - this will ensure that slack deployed version of the app gets env vars provided not as an environment variable available via Deno.env.get() but as a function parameter. Please see the link @vegeris provided you for an example of how to use these variables.
2. To have the same experience when developing locally, add a .env file listing these variables out (as per the example here). Use the same function-argument approach to read these values as you would for step 1.

I will close this issue as I believe this is resolved. If you have any further questions, feel free to re-open or file a new issue.