This is the first step to enable New Relic's AWS Lambda monitoring.
When you link your AWS account to New Relic, you're granting permission to New Relic to create an inventory of your AWS account, and gather CloudWatch metrics for your Lambda functions. Resources in your AWS account then show up as entities in the explorer, decorated with config information.
For Lambda serverless function monitoring to work, it requires either an API Polling or Metric Streams integration. You can set up your choice of integration before you start this account linking, or you can let the CLI install the API Polling integration for you.
In this integration step, we'll also store your New Relic License Key in the AWS Secrets Manager service, so that we can send your telemetry to your New Relic account.
To enable serverless monitoring using our Lambda layer, you need the following:
- AWS CLI v2 installed and configured using
- Python version 3.3 or higher installed.
- newrelic-lambda CLI,
which you can install by running
pip3 install newrelic-lambda-cli.
- A New Relic account. You must have an admin role or have the Infrastructure manager add-on role.
- A user key.
- An AWS account with permissions for creating IAM resources, managed secrets, and Lambdas. You also need permissions for creating CloudFormation stacks and S3 buckets.
Since Lambda serverless function monitoring requires either an API Polling or Metric Streams integration, the CLI will automatically install API Polling if it doesn't see an integration. If you prefer Metric Streams, install that now before running the CLI.
newrelic-lambda CLI adds your New Relic license key as a secret in AWS Secret Manager for greater security.
Storing the New Relic license key in the AWS Secrets Manager
Your New Relic license key identifies and authenticates you to New Relic, allowing us to associate your telemetry with your New Relic account. Each function that sends telemetry needs access to this value, and it needs to be managed securely. The AWS Secrets Manager solves these problems.
If your organization prevents you from using AWS Secrets Manager or if you need to store more than one secret per region, see below for an alternative method to set your license key.
If your organization does not allow the use of AWS Secrets Manager, the New Relic Lambda Extension will accept a
NEW_RELIC_LICENSE_KEY environment variable. Add the
--disable-license-key-secret flag from the
newrelic-lambda integrations install command. Then set this environment variable to your New Relic license key in your Lambda function configuration.
newrelic-lambda CLI should be run once per region, with the
--aws-region parameter. Use the same linked account name, and the tool will detect that the account link has been created already. The license key secret needs to be created in each region.
Similarly, several AWS accounts can be linked to a New Relic account. Give each account a different linked account name. The
--aws-profile argument to the CLI tool will select the named profile. The tool uses the same configuration as the AWS CLI.
Your lambda code requires the execution role which has permission to read AWS Secrets Manager. If you find a log like the following, add the appropriate permission to the policy of the execution role. In our examples, check out the
template.yaml file to see an easy way to grant this permission.
Failed to retrieve license key AccessDeniedException: User: <ARN> is not authorized to perform: secretsmanager:GetSecretValue on resource: <ARN>