Once approved for a given resource, you can execute commands with temporary elevated credentials for that resource using sym exec RESOURCE -- command.

Steps

1. Make sure you've installed Sym and logged in. For this guide, we'll assume you see a Sym resource called prod when you list resources.
2. Request Access to the prod resource and wait for it to be approved.
3. Use the sym exec command:

For example, after successfully requesting access to the prod resource, you can run aws-cli commands against your production environment:

$ sym exec prod -- aws ec2 describe-instances
{
    "Reservations": [
        {
            "Groups": [],
            "Instances": [
                { ... }
            ],
            ...
        }
    ]
}

📘

sym exec works very similarly to aws-okta exec or aws-vault exec

If you need a copy of the credentials for the elevated role, you can simply access the environment variables.

$ sym exec prod -- env | grep AWS
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=%%%
AWS_SECRET_ACCESS_KEY=%%%
AWS_SESSION_TOKEN=%%%
AWS_SECURITY_TOKEN=%%%
AWS_SESSION_EXPIRATION=2020-04-16T11:16:27Z

📘

You can also use the SYM_RESOURCE environment variable to specify the resource, which makes commands like exec more ergonomic:

SYM_RESOURCE=prod sym exec env