Optional Configuration

Other common configurations for the Sym CLI that may be useful.

Setting a Default Resource

Use this so you don't have to specify the same sym resource on every sym command

Prepending SYM_RESOURCE to every command can get tiresome. You can specify a default resource to run commands against using sym defaults, so that you only have to specify one manually when you want to override that default.

$ sym defaults:set resource staging
$ sym defaults resource
$ sym resources
prod (Prod)
* staging (Staging)
dogfood (Dogfood)
$ sym ssh i-05d82887a11ef35d2
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1111-aws x86_64)


You can unset a default with sym defaults:unset resource.

Configuring SAML Clients

The Sym CLI supports both aws-okta and saml2aws.

When Sym is connected to your IDP (such as Okta), escalated access to resources is often granted by temporarily adding you to a group that has delegated permission to assume an IAM Role.


This works by using your IdP credentials to obtain a SAML assertion containing the Role you want to assume, which AWS has previously been configured to accept in exchange for temporary STS credentials.

Most organizations handle the IDP-to-STS-via-SAML dance with one of two tools: aws-okta or saml2aws. Sym supports both of these tools. Normally, sym will simply select the best option (saml2aws if you have it installed, else the now-unmaintained aws-okta).

This is configurable by passing the --saml-client flag to sym, which defaults to auto.




Default to the saml2aws client, fallback to aws-okta.


Use the aws-okta client unconditionally.


Use the saml2aws client unconditionally.


Use predefined named AWS profiles unconditionally.

A common case for explicitly specifying a value is if both utilities are installed, but only one is set up.

For example, to list all EC2 instances in the prod environment using aws-okta, even if you have saml2aws installed, run the following:

sym --saml-client=aws-okta exec prod -- aws ec2 describe-instances

Disabling Auto-Updates

By default, sym will check for updates and update itself once a day. If you'd like to disable this, you can run the following:

sym config:set autoupdate false

Disabling Telemetry

By default, sym will send analytics events to Segment so we can understand how people are using our product. If you'd like to disable this, you can run the following:

sym config:set analytics false

What’s Next
Did this page help you?