Scoped SSO permission set so laptop agents stop running as AdministratorAccess #302
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#302
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Finding from the 2026-06-11/12 SSM audit (agentic-os-kai#655): laptop Claude/agent sessions run as the
AWSReservedSSO_AdministratorAccessrole - the same principal as Kai herself. Consequence: thealias/admin-onlyCMK (description: "Wraps SSM params under /<>/admin/ paths") cannot distinguish an agent from Kai, so the admin tier currently only protects against the fleet machine users (kai-server,kai-server-k3s,ser8, which havessm:*Parameter*and nokms:actions).Two candidate fixes, not mutually exclusive:
AgentAccess) granting the day-to-day surface (ssm get/put on non-admin paths, the usual service APIs) but excludingkms:Decrypton the admin-only key. Agent harnesses log in with the scoped profile, Kai keeps AdministratorAccess for herself. Open question: ergonomics of two SSO profiles on one laptop (AWS_PROFILE per session vs per-tool default).aws ssm get-parameter --with-decryptionwhen the name matches*/admin/*. Works today regardless of IAM, ships with the existing lockdown machinery, but only binds agents routed through coily (defense in depth, not a boundary by itself - the harness allowlist already forces coily routing, so in practice it covers the agent path).Context: the audit shrank the admin-tier candidate set to near zero because most secrets are agent- or cluster-consumed, but the tier becomes meaningful the moment laptop agents stop being account admins.