PAYCARGO · AI-SANDBOX · PROCESS

0Provision Human Admin Access to AI-sandbox

How the first human identity enters the AI-sandbox AWS account so Terraform can run.
Block: Pre-bootstrap (Block 0) · Owner: the platform architect · Cost: $0/month · Permanence: Permanent — this is the steady-state human-access path
Completed

What was done: Bound the local AWS CLI to PayCargo's IAM Identity Center, then federated into the AI-sandbox account with the AdministratorAccess permission set.

Outcome: Authenticated as mtang@paycargo.com on account 959228203854 with admin-grade SSO credentials. No long-lived keys on disk. Ready for Block 1 (bootstrap apply).

Executive Summary

Got the operator's laptop authenticated to PayCargo's AI-sandbox AWS account, using the most secure path AWS offers.

Every action that builds the AI infrastructure has to be done as some identity. The choice of which identity (PayCargo Identity Center SSO, a one-off IAM user, or root) shapes the security posture of the platform from the very first action. Identity Center with MFA and short-lived tokens was chosen, which means the credential cannot be stolen and reused for more than a few hours, and can be centrally revoked the instant the operator leaves. This is also the path every future engineer onboarding to AI-sandbox will use.

StatusCompleted
Cost$0/month
EffortPlan: ~1 week (project scoping)
Apply: ~25 min
Review: ~15 min
RiskNone

If skipped: No way to deploy any AI-sandbox infrastructure. This step is the first credential gate; nothing downstream can run without it.

1. Why this step exists

Every other block in the AI-sandbox build (bootstrap, identity, network, data, observability, and so on) is applied by either a human from a laptop or by CI from a GitHub Actions workflow. Bootstrap creates the CI identity (a deploy role assumable via OIDC federation). Nothing in the codebase creates the human identity, because nothing can create an identity inside an AWS account it has not yet entered.

The one-line summary

Bootstrap is the first Terraform apply. Step 0 is what has to happen before Terraform can run at all. A human with administrator privileges in the AI-sandbox account must surface those credentials to the local AWS CLI before terraform apply can authenticate.

Why bootstrap cannot solve this for you

Bootstrap creates a deploy role for GitHub Actions to assume via OIDC. That role is a machine identity, intended for CI workflows running inside GitHub. It is not assumable by a human laptop, and it requires bootstrap to have already run successfully. So bootstrap depends on a human identity being present, and the human identity must therefore exist first.

What this step is, in one sentence

Configure the local AWS CLI so that it can authenticate to the AI-sandbox AWS account as a named human with administrator privileges, using credentials that are short-lived, MFA-protected, and centrally revocable.

2. What was configured

PayCargo operates an AWS IAM Identity Center instance for the organization. Identity Center is AWS's native single-sign-on service: it manages users (or syncs them from an external IdP), assigns them permission sets on specific AWS accounts, issues short-lived federated credentials when those users log in, and tracks every authentication and authorization decision in CloudTrail.

This step bound the local AWS CLI to that Identity Center instance and authenticated into the AI-sandbox account with the AdministratorAccess permission set.

Concrete configuration

PayCargo Identity Center portal URL
https://d-90676daaf9.awsapps.com/start
AI-sandbox AWS account ID
959228203854
SSO user
mtang@paycargo.com
SSO permission set
AdministratorAccess
Federated role ARN (as CloudTrail records it)
arn:aws:sts::959228203854:assumed-role/AWSReservedSSO_AdministratorAccess_1f350a57e8032361/mtang@paycargo.com
Local AWS CLI profile name
ai-sandbox
Local SSO session name (in ~/.aws/config)
paycargo

Two files on the local machine changed:

No file was created in ~/.aws/credentials. There are no static access keys associated with this identity.

3. How a new engineer reproduces this

This is the steady-state onboarding path for any future engineer joining the AI-sandbox build. Three prerequisites must be met by the PayCargo admin first; the engineer then runs five commands locally.

Prerequisites (done by the PayCargo Identity Center admin)

  1. The engineer's user exists in PayCargo's Identity Center (either created in the built-in store or synced from an external IdP).
  2. The user has been assigned the AdministratorAccess permission set on the AI-sandbox account (or a narrower permission set if appropriate to their role — admin is required only for bootstrap-level changes).
  3. The engineer knows the Identity Center portal URL: https://d-90676daaf9.awsapps.com/start.

Local CLI setup

# Always pass an explicit --profile name to avoid silently overwriting
# an existing profile (see Gotcha 1).
aws configure sso --profile ai-sandbox

# Answer the prompts:
#   SSO session name:           paycargo
#   SSO start URL:              https://d-90676daaf9.awsapps.com/start
#   SSO region:                 us-east-1
#   SSO registration scopes:    (press Enter to accept the default)
#
# Browser opens to authenticate. Pick:
#   Account:                    AI-Sandbox (959228203854)
#   Permission set:             AdministratorAccess
#
# Continue answering:
#   CLI default Region:         us-east-1
#   CLI default output format:  json
#   CLI profile name:           ai-sandbox  (must match the --profile above)

# Log in and confirm
aws sso login --profile ai-sandbox
aws sts get-caller-identity --profile ai-sandbox

# Set as the active profile for the shell session
export AWS_PROFILE=ai-sandbox

Subsequent sessions only need aws sso login --profile ai-sandbox (browser opens for re-auth, takes ~10 seconds). The SSO token caches for 12 hours by default.

4. What this step secures

The choice of Identity Center as the human-access path (rather than IAM users with access keys, or the AWS account's root user) is consequential. The properties it secures:

Property Identity Center (this path) IAM users w/ keys Root user
No long-lived credentials on disk Yes — SSO tokens expire in 12 hours No — access keys persist until rotated No — root keys persist forever
MFA enforced on every credential issuance Yes — via Identity Center MFA policy Optional, requires explicit IAM policy Not enforced for programmatic use
Centrally revocable Yes — disable user in Identity Center, all sessions invalidate Per-key, per-account rotation needed Account closure or manual key deletion
Audit trail attributable to a named human Yes — ARN includes the user's email Only by IAM user name; mapping to human is fragile No human attribution at all
Permission boundary survives the credential Yes — permission set is independent of session Policy attached to user; deletion of user takes policy with it Root is not constrained by any boundary
Scales cleanly to multiple engineers Yes — one click in Identity Center per new user Per-account IAM user creation, key distribution, rotation Cannot share root

What this step deliberately does not secure

5. Cost & permanence

Cost

$0/month. AWS IAM Identity Center is free at the AWS layer. There is no per-user, per-session, or per-permission-set charge. If PayCargo wires Identity Center to an external IdP (Okta, Google Workspace, Azure AD) via SCIM, the external IdP may have its own per-user cost; that is independent of AWS and is unaffected by this step.

Permanence

Permanent. Identity Center is the steady-state human-access path for the AI-sandbox account (and, by extension, every other PayCargo AWS account that uses the same Identity Center instance). There is no follow-on deletion, rotation, or migration required. SSO tokens auto-expire and auto-renew per session; no manual operator intervention is required for normal operation.

The local CLI profile ([profile ai-sandbox] in ~/.aws/config) and the SSO session ([sso-session paycargo]) persist on the engineer's laptop. If the laptop is lost or replaced, the config can be regenerated by re-running the aws configure sso sequence in Section 3.

6. Verification

The single command that confirms Step 0 succeeded:

$ aws sts get-caller-identity --profile ai-sandbox
{
    "UserId":  "AROA56VTU2NHFJN5IF4EE:mtang@paycargo.com",
    "Account": "959228203854",
    "Arn":     "arn:aws:sts::959228203854:assumed-role/AWSReservedSSO_AdministratorAccess_1f350a57e8032361/mtang@paycargo.com"
}

Three things must be true in the output for the step to be considered closed:

  1. Account equals 959228203854 — the AI-sandbox account, not the PayCargo management account, not a sibling sub-account.
  2. Arn starts with arn:aws:sts::<account>:assumed-role/AWSReservedSSO_ — confirming this is a federated SSO identity, not an IAM user.
  3. The role name contains AdministratorAccess — required for bootstrap, since bootstrap creates IAM, KMS, and Organizations-touching resources.

If any of the three is wrong, do not proceed to Block 1. Diagnose and fix the CLI configuration first.

7. How to view the work in AWS Console

The work product of this step is mostly invisible at the AWS Console (it's a credential path, not a deployed resource). But three places confirm what's set up.

What to seeWhere to lookWhat confirms success
SSO portal accepts your login Browser → https://d-90676daaf9.awsapps.com/start → log in with PayCargo email + MFA You see a list of AWS accounts. The AI-Sandbox (959228203854) tile appears and offers the AdministratorAccess role.
You're in the right account Click AI-SandboxAdministratorAccess → "Management console" link AWS Console opens. Top right: account dropdown reads AI-Sandbox (959228203854) and the federated user line reads AWSReservedSSO_AdministratorAccess_1f350a57e8032361/mtang@paycargo.com.
Your local CLI is bound to the same identity Terminal: aws sts get-caller-identity --profile ai-sandbox Returns Account: 959228203854 and the same AWSReservedSSO_AdministratorAccess_ ARN as the console.

Why this matters

The match between the browser console identity and the CLI identity is the verification that Step 0 succeeded. They are the same federated session viewed two different ways. If they diverge (different accounts, different ARN shapes), the CLI is talking to the wrong place — do not proceed to Step 1.

8. Gotchas encountered (real, not theoretical)

Two CLI-level issues surfaced during this step. Documented here so the next engineer does not lose time to the same things.

Gotcha 1 — aws configure sso silently reuses the previous profile name

The CLI does not always explicitly prompt for a profile name at the end of aws configure sso. If a previous SSO profile exists on the laptop, the CLI defaults the new SSO binding to that profile name and writes it without confirmation, silently overwriting the previous profile's config.

On this laptop, a profile named nvisionx existed (from an unrelated consulting client). After running aws configure sso for PayCargo without an explicit profile name, the [profile nvisionx] block in ~/.aws/config was rewritten to point at the PayCargo Identity Center and AI-sandbox account, breaking the nvisionx CLI binding.

Fix applied: manually renamed the mislabeled profile in ~/.aws/config to ai-sandbox. The nvisionx access still worked because a sibling profile bound to the same SSO session existed; without that, full nvisionx reconfiguration would have been required.

Prevention for future engineers: always pass an explicit --profile <name> flag:

aws configure sso --profile ai-sandbox

This forces the CLI to write under the named profile regardless of any defaults.

Gotcha 2 — "I have SSO to AWS" is ambiguous and cost real diagnostic time

The engineer told the assistant they had SSO to AWS. This was taken to mean either federated SSO via an external IdP or Identity Center, without verification. The conversation looped for a long time trying to diagnose whether Identity Center existed for PayCargo, whether the engineer had been provisioned into it, and whether the existing paycargo-ocr IAM-user profile was the only credential path.

The resolution was a single screenshot: the AWS console account dropdown, showing the federated user string AWSReservedSSO_AdministratorAccess_1f350a57e8032361/mtang@paycargo.com. The AWSReservedSSO_ prefix is unambiguous evidence of Identity Center. The conversation could have ended an hour earlier with that screenshot up front.

Prevention for future engineers: when surfacing AWS access for a new account, the fastest disambiguation is to log into the AWS console in a browser and screenshot (or paste the text of) the federated user string from the account dropdown. The presence or absence of AWSReservedSSO_ answers in two seconds what abstract questions take much longer to chase down.

8. Doctrine implications

How Step 0 is handled tells future engineers what the security culture of this platform is. Three doctrine principles trace directly back to this choice.

No long-lived credentials

The AI-sandbox doctrine assumes credentials are either time-bounded (SSO tokens, OIDC web identity tokens, STS-issued temporary credentials) or do not exist at all (the deploy role created by bootstrap has no static keys). The permission boundary deployed in bootstrap blocks IAM user creation precisely to enforce this. Step 0 using Identity Center reinforces the doctrine from the very first credential the platform ever sees.

Every action is attributable to a named human

CloudTrail logs the identity of every API call. The federated SSO role ARN includes the user's email address, making the link from log entry to human intrinsic and self-documenting. With an IAM user named mike-bootstrap, the link from log to human depends on someone remembering who that user was, which decays over time.

The blast radius of the founding credential equals the blast radius of the platform

Whoever can authenticate as the bootstrap operator can do anything inside the account during the bootstrap window. There is no permission boundary yet; bootstrap is the thing that deploys it. This is the only window of unrestricted access in the lifetime of the platform. The credential used for that window is short-lived (12-hour SSO token), MFA-protected (Identity Center MFA on issuance), and centrally revocable (one click in Identity Center invalidates every session). This is the most defensible posture available without changing the AWS API surface.

The takeaway

Step 0 looks like plumbing. It is actually the most consequential identity decision in the build — the credential that does bootstrap has unconstrained access to the AI-sandbox account for the duration of that apply. Using Identity Center for it is the difference between "the platform's first credential exemplifies the doctrine" and "the platform's first credential is the first exception to the doctrine." The doctrine is more credible when it has no exceptions.

9. What comes next

Step 0 is complete the moment aws sts get-caller-identity returns the AI-sandbox account ID with a federated SSO admin ARN (see Section 6). Immediately proceed to Block 1 — bootstrap apply.

Block 1 will:

After Block 1 succeeds, every subsequent module (identity, network, data, observability, and so on) is applied via CI, not from a laptop. The human credential established in Step 0 stays in place for break-glass and for re-applying bootstrap itself, but day-to-day operations move off the laptop entirely.