AWS Secrets Manager Setup


You can generate this

If you ran symflow generate, you might already be configured with a file! If so, then you do not need to complete these steps.



  1. An file generated by symflow init
    a. If you have not run symflow init, please follow the instructions in Installing Sym
  2. A runtime_connector module defined in
    a. If you do not have a, please follow the instructions in AWS Runtime Setup

Grant Sym Read-Only Access to AWS Secrets Manager

In the directory that contains your Sym configuration (i.e. the directory created by symflow init), create a new file named with the following contents:

# This secrets_manager_access module defines an AWS IAM Policy and attachment that grants the Sym Runtime Role
# the permissions to read secrets from AWS Secrets Manager that are under the /sym/ path and tagged with
# `SymEnv = local.environment_name`.
module "secrets_manager_access" {
  source  = "symopsio/secretsmgr-addon/aws"
  version = "~> 1.1"

  environment   = local.environment_name
  iam_role_name =

# This resource tells Sym how to access your AWS account's Secrets Manager instance.
resource "sym_secrets" "this" {
  type = "aws_secrets_manager"
  name = "${local.environment_name}-sym-secrets"

  settings = {
    # This tells Sym to use the runtime_context integration defined in to access
    # your AWS account's Secrets Manager.
    context_id =

Finally, run terraform init && terraform apply to save your configuration.

For more information about the inputs and outputs of the secrets_manager_access module, see the Terraform registry.

Next Steps

The Sym Runtime should now have read-only access to your AWS Secrets Manager Secrets. In Share Secrets with the Sym Runtime we will describe how to Terraform secrets and share them with the Sym Runtime.