With Sym and Okta you can get the benefits of flexible just-in-time group assignments and escalations with a great GRC platform.

Connect Sym with your AWS Secrets Manager

Follow the Manage Secrets with AWS Secrets Manager tutorial to connect your AWS Secrets Manager with the Sym Runtime.

Create an Okta API User and Token

We recommend that you create a dedicated Okta user with administrative access to the Groups that your integrations will manage.

To do this, use the Okta Admin Console to create a new user, and then give the user the following administrative permissions:

  • Group Membership Administrator
  • Read Only Administrator
  • Can administer specific groups only

Underneath the last bullet, select any Groups for which you'd like to provide escalated access via Sym.


Permissions required for the Okta Bot User.

Once the user is created, you will need to sign in as this user to create an API Key for them.

Share your Okta API Key with Sym

Follow the Share Secrets with the Sym Runtime tutorial to share your Okta API Key. We recommend using the plain style secret.

# Note: This example snippet shows only the Okta specific resources.
resource "aws_secretsmanager_secret" "okta_api_key" {
  name        = "main/okta-api-key"
  description = "API Key for Sym to call Okta APIs"

  tags = {
    # This SymEnv tag is required and MUST match the SymEnv tag in the 
    # aws_iam_policy.secrets_manager_access in your `secrets.tf` file
    SymEnv = local.environment_name

resource "sym_secret" "okta_api_key" {
  # `sym_secrets` is defined in "Manage Secrets with AWS Secrets Manager"
  source_id = sym_secrets.this.id
  path      = aws_secretsmanager_secret.okta_api_key.name

Add an Okta Integration

Define a sym_integration resource with type = okta. This integration will specify the Okta API key, and is necessary for the Okta SDK methods and Access Strategy.

  • external_id: Your Okta Domain
  • api_token_secret: A required setting which must be set to the ID of a sym_secret referencing your Okta API key.
resource "sym_integration" "okta" {
  type        = "okta"
  name        = "main-okta-integration"
  # Your Okta Domain
  external_id = "dev-12345.okta.com"

  settings = {
    # This secret was defined in the previous step
    api_token_secret = sym_secret.okta_api_key.id

Next Steps

With your Okta API Key and Integration configured, you can now: