AWS IAM Access Strategy

Sym's AWS IAM Strategy uses a dedicated IAM role to move users in and out of IAM Groups.


You can generate this!

You can automatically generate an AWS SSO Flow with symflow generate aws-iam!

Otherwise, follow the AWS Runtime Setup tutorial to set up your AWS dependencies.

Connect the Sym Runtime with your AWS Account

Follow the AWS Runtime Setup tutorial on the main AWS page to set up your runtime_connector module.

Add an AWS IAM Integration

Define the IAM Connector

The AWS IAM Access Strategy relies on a special module iam-connector. This module defines the AWS IAM Resources that enable Sym to manage IAM Groups in your AWS Account

module "iam_connector" {
  source  = "symopsio/iam-connector/aws"
  version = ">= 2.0.0"

  # This environment should match the environment defined in the generated by `symflow init`
  environment       = local.environment_name
  runtime_role_arns = [module.runtime_connector.sym_runtime_connector_role.arn]

Define the AWS IAM Permission Context Integration

Define a sym_integration resource with type = permission_context. This tells Sym to assume the AWS IAM Role defined by the IAM Connector module when managing your AWS IAM Groups, and will be referenced in the sym_strategy resource later.

  • external_id: Your AWS Account ID. Use the account_id output from module.iam-connector.settings
  • settings: The settings output from module.iam-connector
resource "sym_integration" "iam_context" {
  type        = "permission_context"
  name        = "main-iam"
  external_id = module.iam_connector.settings.account_id
  settings    = module.iam_connector.settings

Add AWS IAM Access Targets

Define sym_target resources with type = aws_iam_group for all of the AWS IAM Groups that you wish to manage access to.

  • iam_group: A required setting that must be set to the name of the IAM Group being managed.
resource "sym_target" "cloudwatch_readonly" {
  type = "aws_iam_group"

  # A unique identifier for this target, we recommend using the group name.
  name  =
  label = "Cloudwatch Read-only"

  settings = {
    # Your AWS IAM Group name
    iam_group =

Add an AWS IAM Access Strategy

Define a sym_strategy resource with type = aws_iam and include the AWS IAM Permission Context and AWS IAM Access Targets you defined above.

resource "sym_strategy" "aws_iam" {
  type           = "aws_iam"
  name           = "main-aws-iam"
  integration_id =

  # This must be a list of `aws_iam_group` sym_targets that users can request to be escalated to
  targets = []

Add the AWS IAM Strategy to your Flow

In your sym_flow resource, reference your AWS IAM sym_strategy as the strategy_id in your Flow Parameters.

resource "sym_flow" "this" {
  name = "iam_access"
  label = "IAM Group Access"
  # ... other Flow attributes not shown

  params {
    # The strategy this Flow will use to manage access.
  	strategy_id =

    # ... other Flow parameters not shown

Full Example

You can find the complete code for this example in our AWS IAM Access Strategy Example.


Consider your session lengths

Sym access will provide your users with the keys to access escalated permissions, but AWS still governs the bounding sessions. This means:

  • If your Sym access is shorter than your default session length, users who access an escalated role will retain that role until their session times out.
  • Conversely, if your Sym access is longer than your default session length, users may be logged out and have to re-authenticate.