Permissions
Properties
| Property | Description | Values | Example |
|---|---|---|---|
provision_roleAppAWSIAMRole | provisioning IAM role IAM role used during initial provisioning of the install with permissions to set up resources | Optional | - |
deprovision_roleAppAWSIAMRole | deprovisioning IAM role IAM role used for tearing down the install and cleaning up resources | Optional | - |
maintenance_roleAppAWSIAMRole | maintenance IAM role IAM role used for day-to-day maintenance, updates, and operational tasks | Optional | - |
custom_rolesarray | custom IAM roles Additional IAM roles for specialized operations beyond the standard provision/maintenance/deprovision lifecycle. Each role must have type set to ‘custom’ | Optional | - |
rolesarray | list of permission roles Array of role definitions in directory-based permission structure. Each role must have a type field (provision, maintenance, deprovision, or custom) | Optional | - |
provision_role
| Property | Description | Values | Example |
|---|---|---|---|
namestring | name of the role Name used for the role in the target cloud platform. Supports Go templating using standard template variables (e.g., {{.nuon.install.id}}) | ✅ Required | "app-{{.nuon.install.id}}-role", "admin-role" |
descriptionstring | description of the role Human-readable description that explains the role’s purpose. Rendered in the installer to customers. Supports templating | ✅ Required | "Provides S3 bucket access for the application", "Database migration role with elevated permissions" |
policiesarray | policy definitions for the role List of policies to attach to the role. Each policy defines cloud-specific permissions (AWS IAM policies, GCP IAM permissions, or GCP predefined roles) | ✅ Required | - |
typestring | role type in permission directory Used when defining permissions in a directory. Indicates when the role is active (provision, maintenance, or deprovision). Supports templating | Optional | "provision", "maintenance", "deprovision" |
cloud_platformstring | target cloud platform Cloud platform this role targets. Determines which downstream renderer processes the role (e.g., AWS CloudFormation vs GCP IAM). Defaults to aws if omitted | Optional"aws", "azure", "gcp" | "aws", "gcp" |
display_namestring | display name of the role Human-readable display name shown in the installer UI. Supports templating | Optional | "Application S3 Access", "Database Admin" |
permissions_boundarystring | [AWS] permissions boundary policy [AWS only] Optional ARN of a permissions boundary policy. Limits the maximum permissions the role can have. Supports templating and external file sources: HTTP(S) … | Optional | "./provision_boundary.json", "./maintenance_boundary.json" |