Set up a custom IAM role that customer’s can grant access to, instead of using the Nuon built in roles.
This feature is still in Beta, and currently can only be turned on by the Nuon team internally.

What Is Install Access Delegation

By default, Nuon installs require that the customer grant one time access to one or more Nuon accounts to setup the install. This is done via cross account IAM, by establishing a trust relationship with two Nuon AWS Accounts:
  • 814326426574 - our sandbox provisioner account
  • 007754799877 - our runner provisioner account
If you would rather not have your customers grant access to a Nuon account, and instead use your own, you can set up delegation. This requires setting up an IAM role that your customer grant’s access to, which allows Nuon to access it. When an install is created, Nuon will automatically use your IAM role to access permissions for the customer account.

Setup Delegation

To setup delegation for your application, you will need to create a new IAM role that your customer’s grant access to, instead of granting access to Nuon default IAM roles. Currently, for GovCloud installs, you must also setup a user and share static credentials to configure your app.

Delegation Role Setup

You can use our published terraform module to create a delegation IAM role, that will grant Nuon the ability to provision installs. 
module "delegation" {
  source = "nuonco/install-access-delegation/aws"
  name = "your-app"
  enable_support_access = true
}
Please export the iam_role_arn and share that with the Nuon team to configure your app.
We recommend enabling support access, so we can help you debug your delegation role while setting up your application.

Manual Setup

To manually setup IAM Role Delegation, you can follow these steps from the admin console.
  1. Create the following IAM policy. It will be attached to the IAM role you create in the next step.
{
  "Statement": [
    {
      "Action": ["sts:AssumeRole"],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}
  1. Create an IAM role in your own account, designed for cross-account access. This is sometimes under the “Custom Trust Policy” option. We’ll refer to this as the “IAM delegate role”. Attach the policy from step 1 and the following custom cross-account trust policy to your IAM delegate role. This will grant nuon access to assume and use it:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::676549690856:root"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::007754799877:root"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::814326426574:root"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::766121324316:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  1. Export the ARN of your IAM role. If you are using gov cloud, see the following section. Otherwise, you can set this value in the aws_delegation_iam_role_arn field of the [sandbox] section of your application configuration and sync your application.
  2. You can follow the IAM role setup in your installers, terraform and other places by simply substituting the ARN roles in the default trust relationships for your sandbox, with your delegation IAM role arn.
The “Create IAM policies with CloudFormation” section of the hosted installers will automatically work with delegated permissions, after they have been set up.

GovCloud Setup

You can support GovCloud installs using install access delegation. This requires creating a delegation similar to the previous section, and creating a static user which has access to that role, and sharing static credentials with Nuon to use it.
If you create a delegation role using our terraform module, you only need do create the static user and credentials in the second half of this guide.
First, create a delegation role to control access to customer installs:
  1. Create an IAM role in your own account, designed for cross-account access. This role must have the following IAM policy attached to it:
{
  "Statement": [
    {
      "Action": ["sts:AssumeRole"],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}
  1. Export the ARN of your IAM role, and share with the Nuon team to configure delegation for your application.
  2. Publish your account IAM role in your installer, docs or wherever else customer’s are installing your application.
  3. You can follow the IAM role setup in your installers, terraform and other places by simply substituting the ARN roles in the default trust relationships for your sandbox, with your delegation IAM role arn.
Next, create a user in AWS with this role, and export static credentials to setup delegation:
  1. Visit the AWS Console and Navigate to IAM -> Users and Create. export creds
  2. Create a user, without console access.
  3. Create a policy, and grant access for this user to assume your IAM role, by using the following JSON and substituting your IAM role ARN.
{
  "Statement": [
    {
      "Action": ["sts:AssumeRole"],
      "Effect": "Allow",
      "Resource": "<your-iam-role-arn>"
    }
  ],
  "Version": "2012-10-17"
}
  1. Once your user has been created, click into the detail page and click “Create Access Key” at the top, and click “Command Line Access”. export creds
  2. Copy the AccessKeyID and SecretAccessKey, and securely share them, with the Nuon team.
  3. Share your IAM Role ARN with the Nuon team. export creds
This is just a temporary solution until Nuon properly provisions a GovCloud environment, at which point we will switch to using cross-account trust policies for gov cloud, instead of static credentials.

Install Access

If you are using delegation for your application, your customer’s will need to set the delegation_role_arn when creating an install. If you are provisioning the IAM role with access via terraform, make sure to add the delegation_role_arn field: 
module "delegation_access" {
  source = "nuonco/install-access/aws"
  sandbox = "aws-ecs"
  prefix = "your-app-install-access"
  enable_support_access = false
  delegation_role_arn = <your-delegation-role>
}
This is going to be automated via our installers, for 1-click Cloudformation Role Creation soon.