Skip to main content
Operation roles let you assign a specific role to each individual operation the Nuon runner performs, such as provisioning your sandbox, deploying a component, or running an action, instead of relying on a single all-purpose maintenance role. The result is granular, least-privilege access control with no changes required to your customers’ cloud accounts.

Why Use Operation Roles?

Your deploy workflow might need lambda:CreateFunction and lambda:UpdateFunctionCode. Your teardown workflow only needs lambda:DeleteFunction. With a shared maintenance role both permissions are always present; with operation roles each workflow gets exactly what it needs. Some concrete use cases:
  • Separate deploy vs teardown: prevent accidental deletion by ensuring your deploy role cannot delete resources
  • Tighter sandbox permissions: provision with a broad Terraform role and deprovision with a narrow destroy-only role
  • Emergency break-glass: run a privileged action role for incident response without elevating all action runs
  • Audit-friendly access: separate CloudTrail events per role make it easy to see which operation touched which resource

Role Selection Precedence

When a run starts, the runner selects a role by walking this chain from highest to lowest priority: The first match wins. If nothing matches the run fails.

Defining Custom Roles

Any role used in an operation role assignment must be declared in permissions.toml with type = "custom" so it is provisioned in the customer’s CloudFormation stack:
permissions.toml

Configuring Entity Roles

Entity roles are defined inline on the individual config file. They take precedence over matrix rules.

Sandbox (sandbox.toml)

Use an [[operation_roles]] array to map sandbox operations to roles.
sandbox.toml
Valid operations for sandbox: provision, reprovision, and deprovision.

Components (components/<name>.toml)

Use the same [[operation_roles]] array on any component config file.
components/my_lambda.toml

Configuring Matrix Rules (operation_roles.toml)

The operation_roles.toml file defines app-level rules that apply across all installs. Rules are matched by principal (which entity is performing the operation) and operation name. Create a file named operation_roles.toml at the root of your app config:
operation_roles.toml

Principal Format

The wildcard * matches any entity of that type, making it easy to set a default role for all components or all actions without listing each one.

Role Name Templating

Role names support the same Go template syntax used elsewhere in Nuon config:
Common template variables: The rendered role name must match a role defined in permissions.toml (either a standard role or a custom_roles entry).

Syncing with the CLI

After adding or changing operation role config, sync your app to push the updated config to Nuon:
This syncs all the configs with the control plane, including operation_roles.toml and any inline operation_roles blocks.

Runtime Role Override

You can override the role for a specific run without changing any config file.

CLI

Pass --role <role-name> when triggering a sandbox or component operation:

Dashboard

On the install page, before triggering a run, use the role selector in the run options panel to choose an alternative role from those available in the install’s CloudFormation stack.

Viewing Configured Roles

In the Nuon dashboard, navigate to your install and open the Components or Actions tab. Each entity shows the currently configured role.

Next Steps