When you link your AWS account to New Relic, you're granting permission to New Relic to create an inventory of your AWS account, and gather CloudWatch metrics for your Lambda functions. Resources in your AWS account then show up as entities in the explorer, decorated with config information.
For Lambda serverless function monitoring to work, it requires either an API Polling or Metric Streams integration. You can set up your choice of integration before you start this account linking, or you can let the CLI install the API Polling integration for you.
To create this inventory, we need an IAM role that grants these IAM permissions, at a minimum:
Resource: "*"
Action:
"cloudwatch:GetMetricStatistics"
"cloudwatch:ListMetrics"
"cloudwatch:GetMetricData"
"lambda:GetAccountSettings"
"lambda:ListFunctions"
"lambda:ListAliases"
"lambda:ListTags"
"lambda:ListEventSourceMappings"
By default, we use the AWS Managed Policy ReadOnlyAccess. This allows the Infrastructure integration to see
all the resources in your account, rather than just your Lambda functions and CloudWatch metrics. New Relic
recommends this default, but we understand that some organizations have a very conservative security posture for
third party integrations. A role with the permissions above is sufficient to allow Lambda telemetry collection,
though traces that interact with other services may not work well.
In this integration step, we'll also store your New Relic License Key in the AWS Secrets Manager service, so that we
can send your telemetry to your New Relic account.
Recommended method: The newrelic-lambda CLI
Requirements
To enable serverless monitoring using our Lambda layer, you need the following:
AWS CLI v2 installed and configured using aws configure.
An AWS account with permissions for creating IAM resources, managed secrets, and Lambdas. You also need permissions for creating CloudFormation stacks and S3 buckets.
The CLI uses the AWS SDK to interact with AWS. The SDK will act using the same default profile as the AWS CLI.
This profile needs, at a minimum, the following AWS permissions to run the CLI.
Since Lambda serverless function monitoring requires either an API Polling or Metric Streams integration, the CLI will automatically install API Polling if it doesn't see an integration. If you prefer Metric Streams, install that now before running the CLI.
When all the requirements are in place, link your AWS account with your New Relic account by running the following command using your user key (replace all the highlighted values):
Setting the region
To configure your region, use this environment variable to override the default region:
export AWS_DEFAULT_REGION=MY_REGION # us-west-2, for example
The CLI tool also allows passing this per-command using --aws-region.
Setting profiles
If you have multiple AWS profiles and don't want to use the default, use AWS_PROFILEenvironment variable to set another profile name. Ensure the profile is properly configured (including the default region). Example:
The newrelic-lambda CLI adds your New Relic license key as a secret in AWS Secret Manager for greater security.
Tip
Storing the New Relic license key in the AWS Secrets Manager
Your New Relic license key identifies and authenticates you to New Relic, allowing us to associate your telemetry with your New Relic account. Each function that sends telemetry needs access to this value, and it needs to be managed securely. The AWS Secrets Manager solves these problems.
If your organization prevents you from using AWS Secrets Manager or if you need to store more than one secret per region, see below for an alternative method to set your license key.
Alternative method
The infrastructure monitoring UI
The CLI is the least complicated way to link your accounts. Current CLI behavior limits the setup of one managed secret per region. If you need more control or need to integrate more than one New Relic account per region, you can go through
the linking process
manually. Be sure to enable Lambda when selecting services to be monitored.
Don't forget to configure the license key secret manually, as described next.
Manually configure the license key secret
In addition to linking your accounts, you need to configure the license key secret.
Using the AWS CLI, or the AWS CloudFormation Console, install the template, supplying the LicenseKey parameter.
You can find your New Relic license key here. It
will be labeled "INGEST - LICENSE". Be sure to use the license key for the account you configured with the Infrastructure UI above.
AWS CLI example:
Be sure to replace YOUR_LICENSE_KEY and YOUR_ACCOUNT_ID with the license key and account ID you found above.
The license key is associated to your New Relic account, while the secret is the name of the AWS Managed Secret containing the license key. If NEW_RELIC_LICENSE_KEY is not set, we look for the key in NEW_RELIC_LICENSE_KEY_SECRET. To ensure the contents of the keys are formatted correctly, we recommend to use the CLI to enable lambda monitoring.
If your organization does not allow the use of AWS Secrets Manager, the New Relic Lambda Extension will accept a NEW_RELIC_LICENSE_KEY environment variable. Add the --disable-license-key-secret flag from the newrelic-lambda integrations install command. Then set this environment variable to your New Relic license key in your Lambda function configuration.
Multiple AWS regions and accounts
The newrelic-lambda CLI should be run once per region, with the --aws-region parameter. Use the same linked account name, and the tool will detect that the account link has been created already. The license key secret needs to be created in each region.
Similarly, several AWS accounts can be linked to a New Relic account. Give each account a different linked account name. The --aws-profile argument to the CLI tool will select the named profile. The tool uses the same configuration as the AWS CLI.
Failure to retrieve license key AccessDeniedException
Your lambda code requires the execution role which has permission to read AWS Secrets Manager. If you find a log like the following, add the appropriate permission to the policy of the execution role. In our examples, check out the template.yaml file to see an easy way to grant this permission.
Failed to retrieve license key AccessDeniedException: User: <ARN> is not authorized to perform: secretsmanager:GetSecretValue on resource: <ARN>