Okta Access Strategy

👍

You can generate this!

You can automatically generate an AWS IAM Flow with symflow generate okta!

Sym and Okta combine to improve your security posture by reducing default access and requiring approval for escalations into privileged groups.

867

Okta workflow with Sym

📘

Did you configure your Okta Integration?

Before continuing, make sure you followed the instructions on the main Okta page to set up your Okta API Key and Integration.

Before continuing, you will need to have:

  • Connected Sym with AWS Secrets Manager
  • Configured your Okta API Key with Sym
  • Defined an Okta Integration resource

Add Okta Access Targets

Define sym_target resources with type = "okta" for all of the Okta Groups that you wish to manage access to.

  • group_id: A required setting that must be set to the ID of the group being managed. The group IDs can be found at the end of the URL when viewing the Group details (Directory > Groups > Select your Group)
resource "sym_target" "okta_admin_access" {
  type  = "okta_group"
  name  = "main-admin-access"
  label = "Admin Access"

  settings = {
    group_id = "00g12345xxx"
  }
}

resource "sym_target" "okta_s3_access" {
  type  = "okta_group"
  name  = "main-s3-access"
  label = "S3 Write Access"

  settings = {
    group_id = "00g67890xxx"
  }
}

Add an Okta Access Strategy

Define a sym_strategy resource with type = okta and include the Okta Integration and Okta Access Targets you defined above.

resource "sym_strategy" "okta" {
  type           = "okta"
  name           = "main-okta-strategy"
  integration_id = sym_integration.okta.id

  # This must be a list of `okta_group` sym_target that users can request to be escalated to
  targets = [sym_target.okta_admin_access.id, sym_target.okta_s3_access.id]
}

Add the Okta Strategy to your Flow

In your sym_flow resource, reference your Okta sym_strategy as the strategy_id in your Flow Parameters.

resource "sym_flow" "this" {
  name  = "okta"
  label = "Okta Group Access"

  # ... other Flow attributes not shown

  params {
    strategy_id = sym_strategy.okta.id

    # ... other Flow params not shown
  }
}

Full Example

You can find the complete code for this example in our Okta Access Strategy Example.