AWS IAM Identity Center (SSO) Access Strategy

Use Sym to seamlessly shift users in and out of AWS SSO roles.

Sym's AWS SSO Strategy uses a dedicated IAM role to assign and remove users from AWS SSO Permission Sets in a given AWS Account.

Connect the Sym Runtime with your AWS Account

Follow the Connect the Sym Runtime with your AWS Account tutorial on the main AWS page to set up your Runtime Connector module and Runtime Permission Context.

Add a AWS SSO Integration

Define the SSO Connector

The AWS SSO Access Strategy relies on a special module sso-connector. This module defines the AWS IAM Resources that enable Sym to manage SSO Permission Sets in your AWS Account

module "sso_connector" {
  source  = "symopsio/sso-connector/aws"
  version = ">= 1.0.0"

  environment = "main"
  runtime_role_arns = [module.runtime_connector.settings.role_arn]
}

Define the AWS SSO Permission Context Integration

Define a sym_integration resource with type = permission_context. This tells Sym to assume the AWS IAM Role defined by the SSO Connector module when managing your SSO Permission Sets, and will be referenced in the sym_strategy resource later.

  • external_id: The instance_arn output from module.sso_connector.settings
  • settings: The settings output from module.sso_connector
resource "sym_integration" "sso_context" {
  type = "permission_context"
  name = "sso-context-main"

  external_id = module.sso_connector.settings.instance_arn
  settings    = module.sso_connector.settings
}

Add AWS SSO Access Targets

Define sym_target resources with type = aws_sso_permission_set for all of the AWS SSO Permission Sets that you wish to manage.

  • account_id: The AWS Account ID for the AWS SSO Permission Set
  • permission_set_arn: The ARN of the AWS SSO Permission Set.
resource "sym_target" "aws_sso" {
  type  = "aws_sso_permission_set"
  name  = "aws-sso-target-main"
  label = "AWS SSO Test Target"

  settings = {
    account_id = var.aws_sso_account_id
    permission_set_arn = aws_ssoadmin_permission_set.this.arn
  }
}

Add an AWS SSO Access Strategy

Define a sym_strategy resource with type = aws_sso and include the AWS SSO Permission Context and AWS SSO Access Targets you defined above.

  • instance_arn = The instance_arn output from module.sso_connector.settings
resource "sym_strategy" "aws_sso" {
  type           = "aws_sso"
  name           = "aws-sso-strategy-main"

  integration_id = sym_integration.sso_context.id
  targets        = [sym_target.aws_sso.id]

  settings = {
    instance_arn = module.sso_connector.settings.instance_arn
  }
}

Add the AWS SSO Strategy to your Flow

resource "sym_flow" "this" {
  name  = "sso-access-main"
  label = "AWS SSO Access"

  # ... other Flow attributes not shown

  params {
    strategy_id = sym_strategy.aws_sso.id

    # ... other Flow params not shown
  }
}

Full Example

You can find the complete code for this example in our AWS IAM Identity Center (SSO) Strategy Example.

🚧

Consider your session lengths

Sym access will provide your users with the keys to access escalated permissions, but AWS still governs the bounding sessions. This means:

  • If your Sym access is shorter than your default session length, users who access an escalated role will retain that role until their session times out.
  • Conversely, if your Sym access is longer than your default session length, users may be logged out and have to re-authenticate.

Advanced Concepts

Supply the AWS Account ID Dynamically

If you have many AWS Account IDs and don't want to create a Permission Set/Account ID combination for each one, you can use Dynamic Targets!

Add an Account ID Prompt Field

In your sym_flow configuration, add a new prompt field for account_id. This will add a text field "Account ID" to the Slack Request Modal.

Note, this prompt field must have name = "account_id", because we are using this prompt field to populate the required account_id setting of the AWS SSO Access Target.

resource "sym_flow" "this" {
  name  = "aws_sso_access"
  label = "AWS SSO Access"

  # ... other Flow attributes not shown

  params {
    strategy_id = sym_strategy.this.id

    prompt_field {
      name     = "account_id"
      label    = "Account ID"
      type     = "string"
      required = true
    }
  
    # ... other prompt_fields and Flow params not shown
  }
}

Define a Dynamic Target

Define a target for each AWS SSO Permission Set, but with a special attribute called field_bindings. This attribute indicates that the account_id setting will be populated dynamically by the requester.

The field binding must be account_id, because this is the required setting that is being dynamically populated.

resource "sym_target" "permission-set" {
  type  = "aws_sso_permission_set"

  name  = "permission-set-name"
  label = "Permission Set Name"

  # A special attribute that indicates the `account_id` setting is dynamic
  field_bindings = ["account_id"]
  
  settings = {
    permission_set_arn = "arn:aws:sso:::permissionSet/ssoins-aaaaaaaaaaaaaaaa/ps-aaaaaaaaaaaaaaaa"
  }
}

With these changes, your requests should now have a text input allowing requesters to specify which AWS Account ID they wish to be escalated to.