Sym provides both a first-party Access Strategy for moving users in and out of OneLogin roles as well as several SDK convenience methods to help customize your access rules.

Connect Sym with your AWS Secrets Manager

Follow the Manage Secrets with AWS Secrets Manager tutorial to connect your AWS Secrets Manager with the Sym Runtime.

Create a OneLogin API User and Credentials

We recommend that you create a dedicated OneLogin user with administrative access to Roles that your integrations will manage.

To do this, use the OneLogin Admin Console to create a new user, then give the user "Super User" privileges. Once the user is created, you will need to sign in as this user and create an API credential pair with "Manage all" privileges.


Permissions required for the OneLogin API credential pair


Regarding Super User Privileges

Currently, only Super User privileges provide the ability to assign and remove users from OneLogin roles. Please see their docs for more information about the different privilege levels.

Share your OneLogin Credential Pair with Sym

Follow the Share Secrets with the Sym Runtime tutorial to share your OneLogin Client Secret with Sym. We recommend using the plain style secret.

# Note: This example snippet shows only the OneLogin specific resources.
resource "aws_secretsmanager_secret" "onelogin_client_secret" {
  name        = "main/onelogin-client-secret"
  description = "API Client Secret for Sym to call OneLogin APIs"

  tags = {
    # This SymEnv tag is required and MUST match the SymEnv tag in the 
    # aws_iam_policy.secrets_manager_access in your `` file
    SymEnv = local.environment_name

resource "sym_secret" "onelogin_client_secret" {
  # `sym_secrets` is defined in "Manage Secrets with AWS Secrets Manager"
  source_id =
  path =

Add a OneLogin Integration

Define a sym_integration resource with type = onelogin. This Integration will specify the OneLogin Client ID and Client Secret, and is necessary for the OneLogin SDK methods and Access Strategy.

  • external_id: This is your OneLogin Domain.
  • client_id: This must be set to the Client ID you received when you created your OneLogin API Credential Pair above.
  • client_secret: This must be set to the ID of a sym_secret referencing your OneLogin API Credential Pair Client Secret.
resource "sym_integration" "onelogin" {
  type = "onelogin"
  name = "main-onelogin-integration"

  # This is your OneLogin Domain.
  external_id = ""

  settings = {
    # This Client ID was created as part of your OneLogin API Credential Pair.
    client_id     = "0a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4e5f6789"
    # This secret was defined in the previous step.
    client_secret =

Next Steps

With your OneLogin API Credential Pair and Integration configured, you can now: