Use Sym to seamlessly shift users in and out of IAM roles.


Sym's AWS IAM Strategy uses a dedicated IAM role to move users in and out of IAM Groups.


Consider your session lengths

Sym access will provide your users with the keys to access escalated permissions, but AWS still governs the bounding sessions. This means:

  • If your Sym access is shorter than your default session length, users who access an escalated role will retain that role until their session times out.
  • Conversely, if your Sym access is longer than your default session length, users may be logged out and have to re-authenticate.


This integration Strategy relies on a special connector

To use the AWS IAM Strategy, you'll need to set up the AWS IAM Connector module, too!

Example implementation

# A strategy uses an integration to grant people access to targets
resource "sym_strategy" "this" {
  type = "aws_iam"
  name = "${var.environment}-strategy"

  integration_id =
  targets        = [for target in sym_target.targets :]

# A target is a thing that we are managing access to
resource "sym_target" "targets" {
  for_each = { for target in var.targets : target["group_name"] => target }

  type  = "aws_iam_group"
  label = each.value["label"]
  name  = each.value["group_name"]

  settings = {
    iam_group = each.value["group_name"]

Did this page help you?