This is the first step to enable New Relic's AWS Lambda monitoring.
When you link your AWS account to New Relic, you're granting permission to New Relic to create an inventory of your AWS account, and gather CloudWatch metrics for your Lambda functions. Resources in your AWS account then show up as entities in the explorer, decorated with config information.
For Lambda serverless function monitoring to work, it requires either an API Polling or Metric Streams integration. You can set up your choice of integration before you start this account linking, or you can let the CLI install the API Polling integration for you.
In this integration step, we'll also store your New Relic in the AWS Secrets Manager service, so that we can send your telemetry to your New Relic account.
Recommended method: The
To enable serverless monitoring using our Lambda layer, you need the following:
- AWS CLI v2 installed and configured using
- Python version 3.3 or higher installed.
- newrelic-lambda CLI,
which you can install by running
pip3 install newrelic-lambda-cli.
- A New Relic account. You must have an admin role or have the Infrastructure manager add-on role.
- A user key.
- An AWS account with permissions for creating IAM resources, managed secrets, and Lambdas. You also need permissions for creating CloudFormation stacks and S3 buckets.
Integrate with CLI
Since Lambda serverless function monitoring requires either an API Polling or Metric Streams integration, the CLI will automatically install API Polling if it doesn't see an integration. If you prefer Metric Streams, install that now before running the CLI.
When all the requirements are in place, link your AWS account with your New Relic account by running the following command using your user key (replace all the highlighted values):
newrelic-lambda integrations install --nr-account-id YOUR_NR_ACCOUNT_ID \ --nr-api-key YOUR_NEW_RELIC_USER_KEY
newrelic-lambda CLI adds your New Relic as a secret in AWS Secret Manager for greater security.
Storing the New Relic license key in the AWS Secrets Manager
Your identifies and authenticates you to New Relic, allowing us to associate your telemetry with your New Relic account. Each function that sends telemetry needs access to this value, and it needs to be managed securely. The AWS Secrets Manager solves these problems.
If your organization prevents you from using AWS Secrets Manager or if you need to store more than one secret per region, see below for an alternative method to set your license key.
Did this doc help with your installation?
Cannot use AWS secrets manager
If your organization does not allow the use of AWS Secrets Manager, the New Relic Lambda Extension will accept a
NEW_RELIC_LICENSE_KEY environment variable. Add the
--disable-license-key-secret flag from the
newrelic-lambda integrations install command. Then set this environment variable to your in your Lambda function configuration.
Multiple AWS regions and accounts
newrelic-lambda CLI should be run once per region, with the
--aws-region parameter. Use the same linked account name, and the tool will detect that the account link has been created already. The secret needs to be created in each region.
Similarly, several AWS accounts can be linked to a New Relic account. Give each account a different linked account name. The
--aws-profile argument to the CLI tool will select the named profile. The tool uses the same configuration as the AWS CLI.
Lambda function not showing as instrumented
You've instrumented your Lambda function but it is not showing as instrumented in the Amazon Web Services -> Lambda functions section of New Relic.
You've linked both an API polling and Metric Streams integration to your New Relic account manually in the UI.
In this scenario with two integrations for the same AWS account in one New Relic account, a race condition will occur when instrumented payloads are received from the instrumented Lambda function at the New Relic cloud-collector endpoint. The payload will be randomly assigned to one of the two integrations. If assigned to the integration not linked to your function entity, the payload will be dropped and the function will not show as instrumented. Only functions that have received at least one payload in the last 30 days to the
AwsLambdaInvocation event will show as instrumented.
FROM AwsLambdaInvocation SELECT count(*) SINCE 30 days ago WHERE entityGuid = 'ENTITY_GUID' LIMIT 1
To prevent creating two integrations for the same AWS account, we recommend you use the
newrelic-lambda CLI, as mentioned above, because it will detect an existing integration and use it.
If two integrations have already been created, choose one to keep and unlink the other by clicking Unlink this account at Infrastructure > AWS in New Relic.
There are some limitations to Metric Streams integrations that should be considered before unlinking an API polling integration. There are also some limitations to Infrastructure Dimensional metrics queries which should be considered before fully committing to a Metric Streams integration.
Failure to retrieve license key
Your lambda code requires the execution role which has permission to read AWS Secrets Manager. If you find a log like the following, add the appropriate permission to the policy of the execution role. In our examples, check out the
template.yaml file to see an easy way to grant this permission.
Failed to retrieve license key AccessDeniedException: User: <ARN> is not authorized to perform: secretsmanager:GetSecretValue on resource: <ARN>