Before creating an install, cross account access must be granted to the target account where the install will be deployed. This requires a customer to create a cross account IAM role for AWS in their own account (or in the case of a test install, in whichever account is desired).

There are many ways to create IAM roles and policies, but this document will show a few easy ways to create IAM roles for Nuon managed sandboxes.

Permissions granting Nuon access to a customer account are only required when first setting up the install. Once the install is initially provisioned, the runner is responsible for all additional management.

AWS Install Access

For applications that use an AWS sandbox, a cross account IAM role delegating access to the target account.

Each managed sandbox defines a set of IAM policies that can be used to grant the proper permissions to create an install using that sandbox.

These policies can be found in the artifacts subdirectory of each sandbox, such as AWS EKS.

IAM roles can be created one of a few ways:

Using Terraform

You can use Terraform to create and manage IAM roles for creating / destroying Nuon installs using our Install Access module.

An example of creating an IAM role for the AWS ECS sandbox:

provider "aws" {}

module "iam-role" {
  source = "nuonco/install-access/aws"
  version = "1.0.0"

  sandbox = "aws-ecs"
  prefix = "iam-role-prefix"

In order to use Terraform to provision IAM roles, please make sure to follow the AWS Provider to authenticate with AWS. Usually, this requires setting an AWS_REGION and AWS_PROFILE.

Using the AWS CLI

The aws cli can be used to create an IAM role for Nuon install access. This requires creating the correct policies, creating a role that grants Nuon access to assume it, and attaching the policies to the role.

By cloning the managed sandboxes, and changing directories into the artifacts directory of your chosen sandbox, you can create an IAM role using the following commands.

Create the install access role.

aws iam create-role \
  --role-name=nuon-install-access \
  --assume-role-policy-document file://trust.json

Create the provision policy.

aws iam create-policy \
  --policy-name=nuon-install-provision-access \
  --policy-document file://provision.json \
  --description "Grants Nuon access to deprovision an install"
aws iam attach-role-policy \
  --role-name=nuon-install-access \

Create the deprovision policy.

aws iam create-policy \
  --policy-name=nuon-install-deprovision-access \
  --policy-document file://deprovision.json \
  --description "Grants Nuon access to deprovision an install"
aws iam attach-role-policy \
  --role-name=nuon-install-access \


You can manually create an IAM role for Nuon using the AWS console in the following steps:

  1. Create an IAM role with the trust.json policy for your sandbox using this guide.
  2. Create a policy that contains both the provison.json and deprovision.json permissions for your sandbox using this guide.
  3. Attach the policy to your created IAM role from step 1 using this guide.

1-click Cloudformation stack

Each sandbox has a sample 1-click Cloudformation stack template, which can be used to create a 1-click installation experience. This is found under artifacts/stack-template.yaml in each sandbox.

We recommend that you offer customer’s multiple ways of creating IAM roles, so that they can integrate into their stack of choice.

Our sandbox 1-click templates are currently experimental. If you’d like to offer this to your customers, or use it for testing please get in touch.

Nuon Trusted Accounts

Nuon has two dedicated accounts that are used to assume external IAM roles for customer accounts:

  • Nuon Prod - 007754799877
  • Nuon Tenants Prod - 814326426574


Nuon can be deployed in your account, upon request - meaning that initial access can be granted to an account owned by you, instead of Nuon.

In some cases, this might be helpful or required when selling into sensitive or enterprise customers.

Please get in touch if you would like to learn more about running Nuon in your own account.