Sym provides both a first-party Access Strategy for moving users in and out of GitHub repos, and an SDK convenience method to check repo collaborators for approval routing.

Connect Sym with your AWS Secrets Manager

Follow the Manage Secrets with AWS Secrets Manager tutorial to connect your AWS Secrets Manager with the Sym Runtime.

Create a GitHub Access Token

In order to grant Sym access to GitHub, you'll need to create a new access token. To do so, go to your Github settings page then navigate to Settings -> Developer settings -> Personal access tokens then "Generate a new token".

The following permission scopes are required for Sym to invite and remove access to your organization's Github repositories:

  • read:org
  • repo
  • user:email

Share your GitHub Access Token with Sym

Follow the Share Secrets with the Sym Runtime tutorial to share your credentials. We recommend using the plain style secret.

# Note: This example snippet shows only the GitHub specific resources.

# aws secretsmanager put-secret-value --secret-id "main/github-access-token" --secret-string "YOUR-GITHUB-ACCESS-TOKEN"
resource "aws_secretsmanager_secret" "github_access_token" {
  name        = "main/github-access-token"
  description = "API Key for Sym to call GitHub APIs"

  tags = {
    # This SymEnv tag is required and MUST match the SymEnv tag in the 
    # aws_iam_policy.secrets_manager_access in your `` file
    SymEnv = local.environment_name

resource "sym_secret" "github_access_token" {
  # `sym_secrets` is defined in "Manage Secrets with AWS Secrets Manager"
  source_id =

  path      =

Add a GitHub Integration

Define a sym_integration resource with type = github. This integration will specify the GitHub access token, and is necessary for the GitHub SDK methods and Access Strategy.

  • external_id: Your GitHub Organization
  • api_token_secret: A required setting which must be set to the ID of a sym_secret referencing your GitHub access token
resource "sym_integration" "github" {
  type        = "github"
  name        = "main-github-integration"

  # Your GitHub Organization name
  external_id = "sym-test"

  settings = {
    # This secret was defined in the previous step
    api_token_secret =

Next Steps

With your GitHub credentials and Integration configured, you can now: