Operation Roles
Theoperation_roles.toml file defines an app-level matrix of rules that map entity principals and
operations to role names. It is placed at the root of your app config directory and synced via
nuon apps sync.
Entity-level role overrides (inline
[[operation_roles]] blocks on sandbox.toml and component configs,
or the role field on action configs) take precedence over matrix rules. See the
Operation Roles Guide for the full precedence chain.Properties
| Property | Type | Required | Description |
|---|---|---|---|
type | string | ✅ Yes | Must be "matrix" |
rules | array | No | Array of operation role rules |
Rule Properties
Each element of therules array must have the following fields:
| Property | Type | Required | Description |
|---|---|---|---|
principal | string | ✅ Yes | Identifies which entity the rule applies to. See Principal Format below |
operation | string | ✅ Yes | The operation the rule applies to. See Valid Operations below |
role | string | ✅ Yes | The role name to use. Must match a role defined in permissions.toml. Supports Go template syntax |
Principal Format
Theprincipal field identifies the entity that is performing the operation.
| Entity | Principal Format | Example |
|---|---|---|
| Specific component | nuon::component:<name> | nuon::component:my_lambda |
| All components | nuon::component:* | nuon::component:* |
| Sandbox | nuon::sandbox | nuon::sandbox |
| Specific action | nuon::action:<name> | nuon::action:db_migration |
| All actions | nuon::action:* | nuon::action:* |
nuon::sandbox principal has no name suffix — there is only one sandbox per install.
Valid Operations by Entity
| Entity | Valid Operations |
|---|---|
component | deploy, teardown |
sandbox | provision, reprovision, deprovision |
action | trigger |
Role Name Templating
Therole field supports Go template syntax. The template is rendered at runtime with the install’s state
variables before looking up the role in the stack outputs.
Common variables:
| Variable | Description |
|---|---|
{{.nuon.install.id}} | The install ID — ensures per-install role isolation |
{{.nuon.install.sandbox.outputs.<key>.name}} | Sandbox stack output values |
provision_role, deprovision_role, or maintenance_role must be declared as
custom_roles in permissions.toml.
Examples
Full operation_roles.toml
operation_roles.toml
Entity-Level Role in sandbox.toml
sandbox.toml
Entity-Level Role in a Component Config
components/my_lambda.toml
Action Role
actions/db_migration.toml
Related
- Operation Roles Guide — full configuration walkthrough
- Operation Roles Concepts — mental model and precedence chain
- Permissions Config Reference — defining
custom_roles - Action Config Reference —
roleandbreak_glass_rolefields - Sandbox Config Reference —
operation_rolesarray on sandbox