Trust & security¶
The whole integration is built so you can verify Argmin's claims rather than trust them. This page is what to tell your security reviewer.
Read-only, enforced three ways¶
Argmin reads. Argmin does not write into customer environments. That isn't a promise — it's enforced at three layers:
- The modules only request reads. Onboarding Terraform requests exclusively
Get/List/Describe(and equivalents). No write actions appear in any policy. - A platform gate blocks violations from shipping.
check_permissions.pyruns in the platform's CI gate stack; an onboarding module that requests any write permission cannot merge tomain. - You prove it yourself. Every module ships
scripts/verify.sh, which exercises one read and one write per granted service. Reads must pass; writes must fail. Any successful write exits the script non-zero. See Verify & confirm.
No long-lived secrets¶
| Cloud | Default auth | Secret exposure |
|---|---|---|
| AWS | Cross-account AssumeRole, scoped by a per-customer external_id, 15-minute session TTL |
No static credentials; nothing exported |
| GCP | Workload Identity Federation | No service-account keys are ever created — the module refuses |
| Azure | Federated credential (OIDC) | No secret by default; optional 90-day client-secret fallback, never in outputs |
The AWS external_id is a confused-deputy mitigation: Argmin can only assume the
role when presenting the exact per-customer string, so a leaked role ARN alone is
not enough to assume it.
Least privilege¶
Each module grants the minimum needed for attribution:
- AWS — Cost Explorer, CUR bucket read (that bucket only), pricing, optional Bedrock metadata, CloudWatch/CloudTrail read, IAM/Organizations listing.
- GCP —
bigquery.dataViewer(optionally pinned to one dataset),monitoring.viewer,logging.viewer,serviceusage.serviceUsageConsumer. - Azure — Reader, Cost Management Reader, Monitoring Reader; optional APIM / Event Hub reads only if you enable them.
No content capture¶
Argmin's pipeline never stores prompt or completion text. The InvocationEvent
schema has no field for message content. Attribution is metadata-only.
Fail-open¶
The decision-time interceptor cannot block your traffic. It runs on a hard latency budget with a hardware-level timeout and forwards regardless of Argmin's health.
You stay in control¶
- Rotate credentials any time — see Rotate & offboard.
- Revoke instantly with
terraform destroy; Argmin loses visibility within minutes. - Everything Argmin can do is visible in the module source you deployed.
References¶
- Trust-boundary doc:
docs/architecture/TRUST-BOUNDARY.md - Security policy: https://github.com/argmin-com/.github/blob/main/SECURITY.md
- Permission gate:
scripts/check_permissions.pyin the platform repo