• /
  • Log in
  • Free account

Step 1: Link your AWS and New Relic accounts

This is one step of enabling New Relic's AWS Lambda monitoring.

When you link your AWS account to New Relic, you're granting permission to New Relic to create an inventory of your AWS account, and gather CloudWatch metrics for your Lambda functions. Resources in your AWS account then show up as entities in the explorer, decorated with config information.

In this integration step, we'll also store your New Relic License Key in the AWS Secrets Manager service, so that we can send your telemetry to your New Relic account.

Recommended method: The newrelic-lambda CLI


To enable serverless monitoring using our Lambda layer, you need the following:

  • AWS CLI v2 installed and configured using aws configure.
  • Python version 3.3 or higher installed.
  • newrelic-lambda CLI, which you can install by running pip3 install newrelic-lambda-cli.
  • A New Relic account. You must have an admin role or have the Infrastructure manager add-on role.
  • A user key.
  • An AWS account with permissions for creating IAM resources, managed secrets, and Lambdas. You also need permissions for creating CloudFormation stacks and S3 buckets.

Integrate with CLI

When all the requirements are in place, link your AWS account with your New Relic account by running the following command using your user key (replace all the highlighted values):

newrelic-lambda integrations install --nr-account-id YOUR_NR_ACCOUNT_ID \
    --nr-api-key YOUR_NEW_RELIC_USER_KEY

The newrelic-lambda CLI adds your New Relic license key as a secret in AWS Secret Manager for greater security.


Storing the New Relic license key in the AWS Secrets Manager

Your New Relic license key identifies and authenticates you to New Relic, allowing us to associate your telemetry with your New Relic account. Each function that sends telemetry needs access to this value, and it needs to be managed securely. The AWS Secrets Manager solves these problems.

If your organization prevents you from using AWS Secrets Manager or if you need to store more than one secret per region, see below for an alternative method to set your license key.

Alternative method


Cannot use AWS secrets manager

If your organization does not allow the use of AWS Secrets Manager, the New Relic Lambda Extension will accept a NEW_RELIC_LICENSE_KEY environment variable. Add the --disable-license-key-secret flag from the newrelic-lambda integrations install command. Then set this environment variable to your New Relic license key in your Lambda function configuration.

Multiple AWS regions and accounts

The newrelic-lambda CLI should be run once per region, with the --aws-region parameter. Use the same linked account name, and the tool will detect that the account link has been created already. The license key secret needs to be created in each region.

Similarly, several AWS accounts can be linked to a New Relic account. Give each account a different linked account name. The --aws-profile argument to the CLI tool will select the named profile. The tool uses the same configuration as the AWS CLI.

Failure to retrieve license key AccessDeniedException

Your lambda code requires the execution role which has permission to read AWS Secrets Manager. If you find a log like the following, add the appropriate permission to the policy of the execution role. In our examples, check out the template.yaml file to see an easy way to grant this permission.

Failed to retrieve license key AccessDeniedException: User: <ARN> is not authorized to perform: secretsmanager:GetSecretValue on resource: <ARN>

For more help

If you need more help, check out these support and learning resources:

Create issueEdit page
Copyright © 2021 New Relic Inc.