Skip to content

Verify & confirm

How to know — and prove — that onboarding worked. Two halves: the trust-boundary check you run, and the ingestion confirmation Argmin gives back.

1. Prove the trust boundary (verify.sh)

Every onboarding module ships scripts/verify.sh. Run it from the module directory after terraform apply:

cd infra/<cloud>/onboarding
./scripts/verify.sh

What it does, by cloud:

Assumes the role under the same trust policy Argmin uses, then exercises one Get/List per granted service. Pass = success or an access-scoped 4xx that isn't 403. Any 403 is a permission gap; any 200 on a write API is a security finding.

  1. Confirms the service account has no user-managed keys.
  2. Asserts every project-scope IAM binding is in the read-only allowlist.
  3. Impersonates the SA via WIF, attempts a write (e.g. bigquery.datasets.create), and asserts 403 Permission denied.
  1. Confirms the service principal exists.
  2. Asserts every subscription-scope role assignment is Reader / Cost Management Reader / Monitoring Reader.
  3. Attempts a write and asserts AuthorizationFailed.

A clean exit (0) is your proof that Argmin has read access and only read access. A non-zero exit means either a permission gap (a read failed) or a security finding (a write succeeded) — don't proceed; share the output with your onboarding contact.

2. Confirm ingestion started (Argmin)

After you send your Terraform outputs, Argmin validates that the role/SP is reachable and begins ingestion. You'll get a confirmation email within 1 business day.

Within ~1–2 hours of that confirmation, the dashboard populates:

  • [ ] Team roster — from your identity inventory.
  • [ ] Cost data — in the budget view, from CUR / BigQuery billing export / Cost Management.
  • [ ] AI model inventory — Bedrock, Vertex AI, and/or Azure OpenAI models in use.

3. (Optional) Confirm a test event

If you wired up the ingestion API or proxy, send one event and watch it land:

curl -X POST https://<your-argmin-instance>/api/v1/invocations \
  -H "X-API-Key: $ARGMIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"event_id":"test-001","ingestion_layer":"application","ingestion_timestamp":"2026-05-29T18:30:00Z","provider":"openai","requested_model":"gpt-4o","input_tokens":100,"output_tokens":50,"estimated_cost_usd":"0.003"}'

Expect 202 Accepted. The event appears under Attribution / Recent within ~30 seconds.

You're fully onboarded when

  • [x] verify.sh exits 0.
  • [x] Argmin has confirmed ingestion by email.
  • [x] The dashboard shows your roster, cost, and model inventory.
  • [x] (If using events) a test event appears in the dashboard.

Something not lining up? See Troubleshooting.