SSH Tunnel

The Sym CLI can tunnel an SSH connection to any instance, allowing any application which works over SSH to use your escalated privileges.

While most applications can use temporary credentials generated from your escalated privileges via sym exec, occasionally you'll want to simply open an SSH connection to an instance and let an application use it. Sym has native support for several applications, including Ansible, but also exposes a ProxyCommand-based for general SSH usage.

The general idea is to prefix your command with sym ssh-tunnel RESOURCE. This will let Sym wrap your command with options that point to an SSH config containing your temporary credentials.



You'll have to manually specify both the destination instance and SSH user in your command. For example, with scp, this means passing something like [email protected] as the source / destination.


A common use of the ssh-tunnel command is to use Sym with SCP. For example, to copy a file from a remote instance, you would do the following.

First, request access to your resource and wait for it to be approved.


You can list your resources if you're not sure what's available! Remember, you can always specify the SYM_RESOURCE environment variable instead of passing the resource to sym as an option.

Then, run the following in your terminal.

sym ssh-tunnel RESOURCE scp [email protected]:~/file.txt file.txt


You can specify the instance by IP address, hostname, or Instance ID.

You should now have file.txt available locally!


Occasionally, using sym ssh-tunnel will fail on an instance you haven't accessed in a while. If this happens to you, you can use the following command to fix things:

sym ssh RESOURCE INSTANCE --force-ssh

Did this page help you?