Overview

Sym's AWS SSO Strategy uses a dedicated IAM role to assign and unassign users from AWS SSO Permission Sets.

🚧
Consider your session lengths
Sym access will provide your users with the keys to access escalated permissions, but AWS still governs the bounding sessions. This means:

If your Sym access is shorter than your default session length, users who access an escalated role will retain that role until their session times out.

Conversely, if your Sym access is longer than your default session length, users may be logged out and have to re-authenticate.

📘
This integration Strategy relies on a special connector
To use the AWS SSO Strategy, you'll need to set up the AWS SSO Connector module, too!

Example implementation

# A strategy uses an integration to grant people access to targets
resource "sym_strategy" "this" {
  type = "aws_sso"
  name = "${var.environment}-strategy"

  integration_id = data.sym_integration.sso.id
  targets        = [for target in sym_target.targets : target.id]

  settings = {
    instance_arn = var.instance_arn
  }
}

# A target is a thing that we are managing access to
resource "sym_target" "targets" {
  for_each = { for target in var.targets : target["arn"] => target }

  type  = "aws_sso_permission_set"
  name  = each.value["name"]
  label = each.value["label"]

  settings = {
    permission_set_arn = each.key
    account_id         = each.value["account_id"]
  }
}

AWS SSO

Overview

🚧
Consider your session lengths

📘
This integration Strategy relies on a special `connector`

Example implementation

Overview

🚧Consider your session lengths

📘This integration Strategy relies on a special connector

Example implementation

🚧
Consider your session lengths

📘
This integration Strategy relies on a special `connector`