Skip to content

Onboard your cloud to Argmin

Argmin is the enterprise system of record for AI consumption. It links every AI inference request — across providers, services, code owners, identities, and budgets — into a single attribution graph, so finance and engineering can see and optimize exactly where AI spend goes.

This site is for engineers connecting a customer environment to Argmin. Follow it end to end and you'll be live in 30 minutes or less.

Start the 30-minute quickstart Connect a cloud now

What onboarding actually is

Argmin reads your cloud's cost, usage, and identity data — it never writes into your environment. There are two integration surfaces; most customers only need the first.

  • 1. Connect your cloud (required)

    Deploy one small, read-only Terraform module in your AWS, GCP, or Azure account. It grants Argmin scoped Get/List/Describe access to billing, usage, and identity data — and nothing else. A bundled verify.sh proves the read-only boundary holds before you hand anything back.

    Connect your cloud

  • 2. Send events (optional)

    For request-level attribution beyond cloud billing data, emit InvocationEvents directly to the ingestion API, or route provider calls through Argmin's drop-in, fail-open proxy. Both are optional and additive.

    Send events

The onboarding path

Every cloud follows the same six-step shape, so multi-cloud teams see a predictable flow:

graph LR
  A[1. Get values<br/>from Argmin] --> B[2. Fill<br/>terraform.tfvars]
  B --> C[3. terraform<br/>apply]
  C --> D[4. Run<br/>verify.sh]
  D --> E[5. Send outputs<br/>to Argmin]
  E --> F[6. Argmin<br/>confirms ingestion]
Step You do Time
1 Email contact@argmin.co, receive your cloud-specific values 5 min (mostly waiting)
2 Fill terraform.tfvars with those values + your bucket/dataset 5 min
3 terraform init && terraform apply 5 min
4 Run ./scripts/verify.sh to confirm read-only access works 2 min
5 Reply with the Terraform outputs (role ARN / SA email / client ID) 3 min
6 Argmin validates and starts ingestion (≤ 1 business day)

Why it's safe by design

  • Read-only, always. Onboarding modules request only Get/List/Describe. A platform gate (check_permissions.py) blocks any module that asks for a write permission from ever shipping.
  • You can prove it. Every module ships a verify.sh that exercises a read and a write per service — reads must pass, writes must fail. Any successful write is a security finding and fails the script.
  • No long-lived secrets. GCP and Azure default to Workload Identity Federation; no keys are exported. AWS uses external-ID-scoped cross-account assume-role.
  • No content capture. Argmin's pipeline never stores prompt or completion text.
  • Fail-open. The decision-time interceptor can never block your production traffic.

Read the trust & security model

Pick your cloud

  •   AWS

    Cross-account IAM role: Cost Explorer, CUR bucket, Bedrock, CloudWatch/CloudTrail, identity inventory.

    AWS guide

  •   Google Cloud

    Service account via Workload Identity Federation: BigQuery billing export, Monitoring, Logging, Service Usage.

    GCP guide

  •   Azure

    Service principal via federated credential: Reader, Cost Management Reader, Monitoring Reader.

    Azure guide

Need a hand?

Onboarding is white-glove. Email contact@argmin.co at any point and a human will help you finish. See Support.