Rotate & offboard

Credential rotation and clean removal, per cloud. All of it is terraform apply / terraform destroy plus a heads-up to Argmin.

Rotate

AWS — external_idGCP — federation subjectsAzure — credentials

Recommended every 12 months.

1. Ask Argmin for a new external_id.
2. Update terraform.tfvars and terraform apply.
3. Confirm Argmin can assume the new role before discarding the old value.

wif_allowed_subjects is a list, so rotate with no downtime:

1. Ask Argmin for the new subject string.
2. Add it (don't replace yet) → terraform apply.
3. Confirm Argmin is using the new subject.
4. Remove the old subject → terraform apply again.

• Workload Identity Federation — nothing to rotate; there are no long-lived secrets.
• Client-secret fallback — 90-day TTL by design. Re-run terraform apply before expiry; Argmin explains the encrypted hand-off of the new value.

Offboard (remove access)

cd infra/<cloud>/onboarding
terraform destroy

This removes everything the module created:

Cloud	Destroyed
AWS	The IAM role and its policies
GCP	The service account, the WIF pool/provider, and all IAM bindings
Azure	The application, the service principal, and all role assignments

Notify Argmin first

Tell your onboarding contact before you destroy, so attribution ingestion is paused cleanly rather than failing mid-read. After destroy, Argmin loses visibility within ~5 minutes.

Audit trail

Keep the granted_permissions / granted_roles output from your original terraform apply. It's the human-readable record of exactly what was granted, and pairs with the module source for a security review.