Temporary Access to Postgres with Sym

Jon Bass
May 19, 2022

Sym's workflow engine lets you seamlessly manage access to hosted infrastructure and SaaS services like AWS, Okta, and GitHub. But what do you do when you have an access management problem for an internal service like a database or admin tool? Sym has an answer for these use cases, too.

The key to making this magic work is Sym's AWS Lambda Strategy. With our Lambda strategy, all you need to do is give Sym the permission to invoke your Lambda function using the AWS Lambda Invoke API. Then your function can do the last mile of escalation using an event payload from Sym with all the details you need.

The net result of Sym's Lambda approach is our own brand of the “shared responsibility model”. Sym makes sure your users have access workflows available to them all the time with the right guardrails and logging. You make sure your Lambda function takes care of flipping the right switch in the target system.

To help get you started with these powerful workflows, we're releasing integrations that make working with Sym's Lambda strategy even easier. The first integration we've launched is for PostgreSQL. With our PostgreSQL integration, users request access to a target database role. Once approved, Sym invokes the Lambda function to toggle the requesting user's permissions in the target database.

In most cases you can get the integration provisioned in under an hour. To make things simpler for kicking the tires, we've included the configs to let you optionally provision an example database.

Lamdba Payload

Sym sends you an event payload with lots of metadata that you can use in your function, but we'll focus on three key things that you pretty much always need to account for. Armed with this information you can manage escalations and deescalations into your target system as needed.

Requesting User

The user that made the request is in the list of actors, specifically in event["run"]["actors"]["request"]["username"].

Target System

The target that the user requested access to in the flow selector modal. This is stored in event["fields"]["target"]["name"].

Event Type

Whether or not this is an escalate or deescalate event. You grab this from the event["event"]["type"] property.

SSH Tunneling via Session Manager

As a side note: the example database module in our PostgreSQL integration also includes a helper tool to tunnel to the database using AWS Session Manager. We'll cover more on tunneling and Session Manager in another post!

What's Next: More Lamdbas, Internal Apps

We're excited to see what folks build with our current PostgreSQL integration. To build on this, we will be releasing more examples of common Lambda patterns we're seeing over the next few weeks. Some of the specific things we're building:

  • Generating temporary credentials and responding with a link to access them using Sym's Lambda response handlers.
  • Hitting an internal API using the Python requests library.
  • … and more!

Escalate and Deescalate Permissions Anywhere

The Sym Swiss Army Knife also supports integrating with custom services without using a Lambda function, when it makes sense. If you want to integrate with internet-accessible services using the Python requests library, the Custom Strategy framework is for you! You can use the framework without requiring the maintenance of your own AWS Lambda function.

Recommended Posts