Okta
With Sym and Okta you can get the benefits of flexible just-in-time group assignments and escalations with a great GRC platform.
Connect Sym with your AWS Secrets Manager
Follow the Manage Secrets with AWS Secrets Manager tutorial to connect your AWS Secrets Manager with the Sym Runtime.
Create an Okta API User and Token
We recommend that you create a dedicated Okta user with administrative access to the Groups that your integrations will manage.
To do this, use the Okta Admin Console to create a new user, and then give the user the following administrative permissions:
- Group Membership Administrator
- Read Only Administrator
- Can administer specific groups only
Underneath the last bullet, select any Groups for which you'd like to provide escalated access via Sym.

Permissions required for the Okta Bot User.
Once the user is created, you will need to sign in as this user to create an API Key for them.
Share your Okta API Key with Sym
Follow the Share Secrets with the Sym Runtime tutorial to share your Okta API Key. We recommend using the plain style secret.
# Note: This example snippet shows only the Okta specific resources.
resource "aws_secretsmanager_secret" "okta_api_key" {
name = "main/okta-api-key"
description = "API Key for Sym to call Okta APIs"
tags = {
# This SymEnv tag is required and MUST match the SymEnv tag in the
# aws_iam_policy.secrets_manager_access in your `secrets.tf` file
SymEnv = local.environment_name
}
}
resource "sym_secret" "okta_api_key" {
# `sym_secrets` is defined in "Manage Secrets with AWS Secrets Manager"
source_id = sym_secrets.this.id
path = aws_secretsmanager_secret.okta_api_key.name
}
Add an Okta Integration
Define a sym_integration
resource with type = okta
. This integration will specify the Okta API key, and is necessary for the Okta SDK methods and Access Strategy.
external_id
: Your Okta Domainapi_token_secret
: A required setting which must be set to the ID of asym_secret
referencing your Okta API key.
resource "sym_integration" "okta" {
type = "okta"
name = "main-okta-integration"
# Your Okta Domain
external_id = "dev-12345.okta.com"
settings = {
# This secret was defined in the previous step
api_token_secret = sym_secret.okta_api_key.id
}
}
Next Steps
With your Okta API Key and Integration configured, you can now:
- Use the Okta SDK Integration
- Configure an Okta Access Strategy
Updated 6 months ago