You only need to connect to AWS once!

If you generated an AWS Flow with symflow generate, you will already have these resources configured! If so, you do not need to configure them again.


Sym provides several first-party integrations with AWS Services:

In order for Sym to integrate with these AWS Services, you must give the Sym Runtime the correct IAM Roles and policies to access your AWS Account's resources.

Connect the Sym Runtime with your AWS Account

Follow the instructions in Connecting Sym to AWS to set up a runtime.tf file and create the Runtime Connector IAM Role to allow Sym to take actions in your AWS account.

Declare a sym_runtime Resource

In Connecting Sym to AWS, we created a runtime.tf file that declares a sym_integration.runtime_context resource. We need to pass this runtime_context integration to a sym_runtime resource to be included in your sym_environment.

Add a sym_runtime resource to your runtime.tf file, with the context_id set to sym_integration.runtime_context.id.

# ... other resources omitted

resource "sym_runtime" "this" {
  name = "main"

  # This tells the Sym Runtime to assume the IAM Role declared above
  # when executing AWS-related Access Strategies
  context_id = sym_integration.runtime_context.id

Add the Sym Runtime Resource to your Environment

In the environment.tf file generated by symflow init, locate the sym_environment resource.

Add the sym_runtime resource you declared above to the sym_environment resource, which will give Flows in that environment access to the Runtime Permission Context.

# ... other resources omitted

resource "sym_environment" "this" {
  name = "main"

  # Add the runtime_id here to tell the AWS Flows in this environment
  # to use the Permission Context Integration defined in this sym_runtime resource.
  runtime_id = sym_runtime.this.id

  # ... other values omitted