Why Use Operation Roles?
Your deploy workflow might needlambda:CreateFunction and lambda:UpdateFunctionCode. Your teardown
workflow only needs lambda:DeleteFunction. With a shared maintenance role both permissions are always
present; with operation roles each workflow gets exactly what it needs.
Some concrete use cases:
- Separate deploy vs teardown: prevent accidental deletion by ensuring your deploy role cannot delete resources
- Tighter sandbox permissions: provision with a broad Terraform role and deprovision with a narrow destroy-only role
- Emergency break-glass: run a privileged action role for incident response without elevating all action runs
- Audit-friendly access: separate CloudTrail events per role make it easy to see which operation touched which resource
Role Selection Precedence
When a run starts, the runner selects a role by walking this chain from highest to lowest priority:
The first match wins. If nothing matches the run fails.
Defining Custom Roles
Any role used in an operation role assignment must be declared inpermissions.toml with type = "custom"
so it is provisioned in the customer’s CloudFormation stack:
permissions.toml
Configuring Entity Roles
Entity roles are defined inline on the individual config file. They take precedence over matrix rules.Sandbox (sandbox.toml)
Use an [[operation_roles]] array to map sandbox operations to roles.
sandbox.toml
provision, reprovision, and deprovision.
Components (components/<name>.toml)
Use the same [[operation_roles]] array on any component config file.
components/my_lambda.toml
Configuring Matrix Rules (operation_roles.toml)
The operation_roles.toml file defines app-level rules that apply across all installs. Rules are matched
by principal (which entity is performing the operation) and operation name.
Create a file named operation_roles.toml at the root of your app config:
operation_roles.toml
Principal Format
The wildcard
* matches any entity of that type, making it easy to set a default role for all components
or all actions without listing each one.
Role Name Templating
Role names support the same Go template syntax used elsewhere in Nuon config:
The rendered role name must match a role defined in
permissions.toml (either a standard role or a
custom_roles entry).
Syncing with the CLI
After adding or changing operation role config, sync your app to push the updated config to Nuon:operation_roles.toml and any inline operation_roles blocks.
Runtime Role Override
You can override the role for a specific run without changing any config file.CLI
Pass--role <role-name> when triggering a sandbox or component operation:
Dashboard
On the install page, before triggering a run, use the role selector in the run options panel to choose an alternative role from those available in the install’s CloudFormation stack.Viewing Configured Roles
In the Nuon dashboard, navigate to your install and open the Components or Actions tab. Each entity shows the currently configured role.Next Steps
- Operation Roles Concepts: understand the mental model and precedence chain
- Permissions Config Reference: defining
provision_role,maintenance_role, andcustom_roles