AWS SSO
Use Sym to seamlessly shift users in and out of AWS SSO roles.
Overview
Sym's AWS SSO Strategy uses a dedicated IAM role to assign and unassign users from AWS SSO Permission Sets.
Consider your session lengths
Sym access will provide your users with the keys to access escalated permissions, but AWS still governs the bounding sessions. This means:
- If your Sym access is shorter than your default session length, users who access an escalated role will retain that role until their session times out.
- Conversely, if your Sym access is longer than your default session length, users may be logged out and have to re-authenticate.
This integration Strategy relies on a special
connector
To use the AWS SSO Strategy, you'll need to set up the AWS SSO Connector module, too!
Example implementation
# A strategy uses an integration to grant people access to targets
resource "sym_strategy" "this" {
type = "aws_sso"
name = "${var.environment}-strategy"
integration_id = data.sym_integration.sso.id
targets = [for target in sym_target.targets : target.id]
settings = {
instance_arn = var.instance_arn
}
}
# A target is a thing that we are managing access to
resource "sym_target" "targets" {
for_each = { for target in var.targets : target["arn"] => target }
type = "aws_sso_permission_set"
name = each.value["name"]
label = each.value["label"]
settings = {
permission_set_arn = each.key
account_id = each.value["account_id"]
}
}
Updated 4 months ago
Did this page help you?