AWS IAM SDK Integration

This section illustrates how to use the aws_iam Sym SDK methods in your impl.py.

📘

Is the impl.py part of an AWS IAM Sym Flow?

The aws_iam SDK methods will Just Work if used in the impl.py of an AWS IAM Sym Flow!

Pro-tip: You can generate an AWS IAM Sym Flow with symflow generate --type aws-iam

Connect the Sym Runtime with your AWS Account

Follow the AWS Runtime Setup tutorial on the main AWS page to set up your runtime_connector module.

Give the Sym Runtime permissions to read from AWS IAM

To be able to use the aws_iam SDK methods, you will need to give the Runtime Connector Role IAM permissions. Ensure that you have an iam_connector module declared with version >= 2.0.0.

module "iam_connector" {
  source  = "symopsio/iam-connector/aws"
  version = ">= 2.0.0"

  # This environment should match the environment defined in the environment.tf generated by `symflow init`
  environment       = local.environment_name
  runtime_role_arns = [module.runtime_connector.sym_runtime_connector_role.arn]
}

resource "sym_integration" "iam_context" {
  type        = "permission_context"
  name        = "main-iam"
  external_id = module.iam_connector.settings.account_id
  settings    = module.iam_connector.settings
}

Version 2.0.0 of the iam_connector module adds permissions that allow the Sym Runtime to determine if a given User is already in an AWS IAM group.

Optional: Enable the AWS IAM Integration in your sym_environment

If you want to call aws_iam SDK methods in the impl.py of a non-AWS IAM flow, then you will need to tell the Sym Runtime to use the sym_integration with the permissions configured from the iam_connector.

To enable the aws_iam SDK integration in non-AWS IAM Flows' impl.py, add the iam_context from the previous section to your sym_environment.integrations block.

resource "sym_environment" "this" {
  name            = var.environment_name
  runtime_id      = sym_runtime.this.id
  error_logger_id = sym_error_logger.slack.id

  integrations = {
		slack_id = sym_integration.slack.id

		# This `aws_iam_id` is required to be able to use the `aws_iam` SDK methods in non-AWS IAM Flows.
		# It tells the Sym Runtime to use the permissions defined by sym_integration.iam_context
		aws_iam_id = sym_integration.iam_context.id
  }
}

Invoke the AWS IAM SDK methods from impl.py

With these Terraform pieces, you can now utilize the sym.sdk.integrations.aws_iam methods.

from sym.sdk.annotations import hook
from sym.sdk.integrations import aws_iam
from sym.sdk.templates import ApprovalTemplate

@hook
def on_approve(event):
    if not aws_iam.is_user_in_group(event.user, group_name="Managers"):
      return ApprovalTemplate.ignore(message="Only users in the Managers IAM Group can approve requests.")