Use Sym to seamlessly shift users in and out of AWS SSO roles.


Sym's AWS SSO Strategy uses a dedicated IAM role to assign and unassign users from AWS SSO Permission Sets.


Consider your session lengths

Sym access will provide your users with the keys to access escalated permissions, but AWS still governs the bounding sessions. This means:

  • If your Sym access is shorter than your default session length, users who access an escalated role will retain that role until their session times out.
  • Conversely, if your Sym access is longer than your default session length, users may be logged out and have to re-authenticate.


This integration Strategy relies on a special connector

To use the AWS SSO Strategy, you'll need to set up the AWS SSO Connector module, too!

Example implementation

# A strategy uses an integration to grant people access to targets
resource "sym_strategy" "this" {
  type = "aws_sso"
  name = "${var.environment}-strategy"

  integration_id =
  targets        = [for target in sym_target.targets :]

  settings = {
    instance_arn = var.instance_arn

# A target is a thing that we are managing access to
resource "sym_target" "targets" {
  for_each = { for target in var.targets : target["arn"] => target }

  type  = "aws_sso_permission_set"
  name  = each.value["name"]
  label = each.value["label"]

  settings = {
    permission_set_arn = each.key
    account_id         = each.value["account_id"]

Did this page help you?