Break Glass
Properties
| Property | Description | Values | Example |
|---|---|---|---|
namestring | name of the role Name used for the role in the target cloud platform. Supports Go templating using standard template variables (e.g., {{.nuon.install.id}}) | ✅ Required | "app-{{.nuon.install.id}}-role", "admin-role" |
descriptionstring | description of the role Human-readable description that explains the role’s purpose. Rendered in the installer to customers. Supports templating | ✅ Required | "Provides S3 bucket access for the application", "Database migration role with elevated permissions" |
policiesarray | policy definitions for the role List of policies to attach to the role. Each policy defines cloud-specific permissions (AWS IAM policies, GCP IAM permissions, or GCP predefined roles) | ✅ Required | - |
typestring | role type in permission directory Used when defining permissions in a directory. Indicates when the role is active (provision, maintenance, or deprovision). Supports templating | Optional | "provision", "maintenance", "deprovision" |
cloud_platformstring | target cloud platform Cloud platform this role targets. Determines which downstream renderer processes the role (e.g., AWS CloudFormation vs GCP IAM). Defaults to aws if omitted | Optional"aws", "azure", "gcp" | "aws", "gcp" |
display_namestring | display name of the role Human-readable display name shown in the installer UI. Supports templating | Optional | "Application S3 Access", "Database Admin" |
permissions_boundarystring | [AWS] permissions boundary policy [AWS only] Optional ARN of a permissions boundary policy. Limits the maximum permissions the role can have. Supports templating and external file sources: HTTP(S) … | Optional | "./provision_boundary.json", "./maintenance_boundary.json" |
policies
| Property | Description | Values | Example |
|---|---|---|---|
namestring | policy name Name for the policy. Used across all cloud platforms when creating the permission grant. Supports Nuon templating | ✅ Required | "app-{{.nuon.install.id}}-policy", "s3-access-policy" |
managed_policy_namestring | [AWS] managed policy name [AWS only] Name or ARN of an AWS managed policy to attach to the IAM role. Mutually exclusive with contents | Optional | "AmazonS3FullAccess", "ReadOnlyAccess" |
contentsstring | [AWS] inline policy document [AWS only] JSON policy document defining inline IAM permissions. Mutually exclusive with managed_policy_name. Supports Nuon templating and external file sources: HTTP(S… | Optional | "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}" |
gcp_permissionsarray | [GCP] individual permissions [GCP only] List of individual GCP IAM permission strings to include in a custom role bound to the service account. Use this for fine-grained permission control. Mutuall… | Optional | "compute.instances.get", "storage.objects.list" |
gcp_predefined_rolestring | [GCP] predefined role [GCP only] Name of a GCP predefined role to bind to the service account. This is the GCP equivalent of AWS managed policies — a Google-managed bundle of permissions. Mutually … | Optional | "roles/editor", "roles/owner" |