AWS SSO

Use Sym to seamlessly shift users in and out of AWS SSO roles.

Overview

Sym's AWS SSO Strategy uses a dedicated IAM role to assign and unassign users from AWS SSO Permission Sets.

🚧

Consider your session lengths

Sym access will provide your users with the keys to access escalated permissions, but AWS still governs the bounding sessions. This means:

  • If your Sym access is shorter than your default session length, users who access an escalated role will retain that role until their session times out.
  • Conversely, if your Sym access is longer than your default session length, users may be logged out and have to re-authenticate.

πŸ“˜

This integration Strategy relies on a special connector

To use the AWS SSO Strategy, you'll need to set up the AWS SSO Connector module, too!

Example implementation

# A strategy uses an integration to grant people access to targets
resource "sym_strategy" "this" {
  type = "aws_sso"
  name = "${var.environment}-strategy"

  integration_id = data.sym_integration.sso.id
  targets        = [for target in sym_target.targets : target.id]

  settings = {
    instance_arn = var.instance_arn
  }
}

# A target is a thing that we are managing access to
resource "sym_target" "targets" {
  for_each = { for target in var.targets : target["arn"] => target }

  type  = "aws_sso_permission_set"
  name  = each.value["name"]
  label = each.value["label"]

  settings = {
    permission_set_arn = each.key
    account_id         = each.value["account_id"]
  }
}

Did this page help you?