• Log inStart now

Step 1: Link your AWS and New Relic accounts

This is the first step to enable New Relic's AWS Lambda monitoring.

When you link your AWS account to New Relic, you're granting permission to New Relic to create an inventory of your AWS account, and gather CloudWatch metrics for your Lambda functions. Resources in your AWS account then show up as entities in the explorer, decorated with config information.

For Lambda serverless function monitoring to work, it requires either an API Polling or Metric Streams integration. You can set up your choice of integration before you start this account linking, or you can let the CLI install the API Polling integration for you.

In this integration step, we'll also store your New Relic License Key in the AWS Secrets Manager service, so that we can send your telemetry to your New Relic account.

Recommended method: The newrelic-lambda CLI

Requirements

To enable serverless monitoring using our Lambda layer, you need the following:

  • AWS CLI v2 installed and configured using aws configure.
  • Python version 3.3 or higher installed.
  • newrelic-lambda CLI, which you can install by running pip3 install newrelic-lambda-cli.
  • A New Relic account. You must have an admin role or have the Infrastructure manager add-on role.
  • A user key.
  • An AWS account with permissions for creating IAM resources, managed secrets, and Lambdas. You also need permissions for creating CloudFormation stacks and S3 buckets.

Integrate with CLI

Since Lambda serverless function monitoring requires either an API Polling or Metric Streams integration, the CLI will automatically install API Polling if it doesn't see an integration. If you prefer Metric Streams, install that now before running the CLI.

When all the requirements are in place, link your AWS account with your New Relic account by running the following command using your user key (replace all the highlighted values):

newrelic-lambda integrations install --nr-account-id YOUR_NR_ACCOUNT_ID \
    --nr-api-key YOUR_NEW_RELIC_USER_KEY

The newrelic-lambda CLI adds your New Relic license key as a secret in AWS Secret Manager for greater security.

Tip

Storing the New Relic license key in the AWS Secrets Manager

Your New Relic license key identifies and authenticates you to New Relic, allowing us to associate your telemetry with your New Relic account. Each function that sends telemetry needs access to this value, and it needs to be managed securely. The AWS Secrets Manager solves these problems.

If your organization prevents you from using AWS Secrets Manager or if you need to store more than one secret per region, see below for an alternative method to set your license key.

Alternative method

While you wait for your data to come in...

Did this doc help you install?

Troubleshooting

Cannot use AWS secrets manager

If your organization does not allow the use of AWS Secrets Manager, the New Relic Lambda Extension will accept a NEW_RELIC_LICENSE_KEY environment variable. Add the --disable-license-key-secret flag from the newrelic-lambda integrations install command. Then set this environment variable to your New Relic license key in your Lambda function configuration.

Multiple AWS regions and accounts

The newrelic-lambda CLI should be run once per region, with the --aws-region parameter. Use the same linked account name, and the tool will detect that the account link has been created already. The license key secret needs to be created in each region.

Similarly, several AWS accounts can be linked to a New Relic account. Give each account a different linked account name. The --aws-profile argument to the CLI tool will select the named profile. The tool uses the same configuration as the AWS CLI.

Lambda function not showing as instrumented

You've instrumented your Lambda function but it is not showing as instrumented in the Amazon Web Services -> Lambda functions section of New Relic.

You've linked both an API polling and Metric Streams integration to your New Relic account manually in the UI.

In this scenario with two integrations for the same AWS account in one New Relic account, a race condition will occur when instrumented payloads are received from the instrumented Lambda function at the New Relic cloud-collector endpoint. The payload will be randomly assigned to one of the two integrations. If assigned to the integration not linked to your function entity, the payload will be dropped and the function will not show as instrumented. Only functions that have received at least one payload in the last 30 days to the AwsLambdaInvocation event will show as instrumented.

FROM AwsLambdaInvocation SELECT count(*) SINCE 30 days ago WHERE entityGuid = xyz LIMIT 1

To prevent creating two integrations for the same AWS account, we recommend you use the newrelic-lambda CLI, as mentioned above, because it will detect an existing integration and use it.

If two integrations have already been created, choose one to keep and unlink the other by clicking Unlink this account at Infrastructure > AWS in New Relic.

Tip

There are some limitations to Metric Streams integrations that should be considered before unlinking an API polling integration. There are also some limitations to Infrastructure Dimensional metrics queries which should be considered before fully committing to a Metric Streams integration.

Failure to retrieve license key AccessDeniedException

Your lambda code requires the execution role which has permission to read AWS Secrets Manager. If you find a log like the following, add the appropriate permission to the policy of the execution role. In our examples, check out the template.yaml file to see an easy way to grant this permission.

Failed to retrieve license key AccessDeniedException: User: <ARN> is not authorized to perform: secretsmanager:GetSecretValue on resource: <ARN>
Copyright © 2022 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.