Permissions
Properties
| Property | Description | Values | Example |
|---|---|---|---|
provision_roleAppAWSIAMRole | provisioning IAM role IAM role used during initial provisioning of the install with permissions to set up resources | Optional | - |
deprovision_roleAppAWSIAMRole | deprovisioning IAM role IAM role used for tearing down the install and cleaning up resources | Optional | - |
maintenance_roleAppAWSIAMRole | maintenance IAM role IAM role used for day-to-day maintenance, updates, and operational tasks | Optional | - |
custom_rolesarray | custom IAM roles Additional IAM roles for specialized operations beyond the standard provision/maintenance/deprovision lifecycle. Each role must have type set to ‘custom’ | Optional | - |
rolesarray | list of permission roles Array of role definitions in directory-based permission structure. Each role must have a type field (provision, maintenance, deprovision, or custom) | Optional | - |
provision_role
| Property | Description | Values | Example |
|---|---|---|---|
namestring | name of the role Name used for the role in the target cloud platform. Supports Go templating using standard template variables (e.g., {{.nuon.install.id}}) | ✅ Required | "app-{{.nuon.install.id}}-role", "admin-role" |
descriptionstring | description of the role Human-readable description that explains the role’s purpose. Rendered in the installer to customers. Supports templating | ✅ Required | "Provides S3 bucket access for the application", "Database migration role with elevated permissions" |
policiesarray | policy definitions for the role List of policies to attach to the role. Each policy defines cloud-specific permissions (AWS IAM policies, GCP IAM permissions, or GCP predefined roles) | ✅ Required | - |
typestring | role type in permission directory Used when defining permissions in a directory. Indicates when the role is active (provision, maintenance, or deprovision). Supports templating | Optional | "provision", "maintenance", "deprovision" |
cloud_platformstring | target cloud platform Cloud platform this role targets. Determines which downstream renderer processes the role (e.g., AWS CloudFormation vs GCP IAM). Defaults to aws if omitted | Optional"aws", "azure", "gcp" | "aws", "gcp" |
display_namestring | display name of the role Human-readable display name shown in the installer UI. Supports templating | Optional | "Application S3 Access", "Database Admin" |
permissions_boundarystring | [AWS] permissions boundary policy [AWS only] Optional ARN of a permissions boundary policy. Limits the maximum permissions the role can have. Supports templating and external file sources: HTTP(S) … | Optional | "./provision_boundary.json", "./maintenance_boundary.json" |
enabled_in_stackboolean | whether the role is enabled by default in the CloudFormation stack Controls the default value of the Enable parameter for this role in the CloudFormation stack. When true, the role is created by de… | Optional | - |