preview
We're still working on this feature, but we'd love for you to try it out!
This feature is currently provided as part of a preview program pursuant to our pre-release policies.
Authorize New Relic workflow automation to perform actions in your AWS account. You'll configure an authentication method that allows workflows to securely interact with AWS services like EC2, SQS, DynamoDB, and more—without hardcoding credentials or compromising security.
Prerequisites
Before setting up AWS credentials, ensure you have:
- An AWS account with permission to create IAM roles or users.
- Your New Relic account ID.
- Admin access to the AWS IAM Console.
Understand required permissions
Before creating credentials, understand what permissions your workflows need. Grant only the permissions your workflows actually use—this follows the principle of least privilege and minimizes security risk.
Common workflow permissions
Workflow type | Required AWS permissions | Description |
|---|---|---|
EC2 management |
| Stop, start, or modify EC2 instances in response to alerts |
SQS messaging |
| Send messages to SQS queues for downstream processing |
API Gateway |
| Roll back API Gateway deployments or configurations |
Systems Manager |
| Execute automation runbooks |
DynamoDB |
| Read from or write to DynamoDB tables |
Tip
Start with read-only permissions (Describe*, Get*, List*), then add write permissions (Put*, Create*, Delete*) only as needed. This prevents accidental destructive actions during testing.
See Policy examples below for complete IAM policy templates.
Set up authentication
Choose the method that matches your use case from the table above:
An IAM role allows New Relic to assume temporary credentials in your AWS account without requiring permanent access keys.
IAM role characteristics:
Credentials rotate automatically
Access is time-limited by design
All actions are logged in AWS CloudTrail
Aligns with AWS security best practices
Create the role in AWS
Sign in to the AWS IAM Console
Navigate to Roles > Create role > Trusted entity type and select AWS account > another AWS account
In the Account ID field, enter:
253490767857Under Options, check Require external ID
In the External ID field, enter your New Relic account ID and click Next.
- Don't have it? Find your account ID here
On the Add permissions page, attach policies based on your workflows:
- For EC2 workflows: Attach
AmazonEC2ReadOnlyAccessor create a custom policy - For SQS workflows: Attach
AmazonSQSFullAccessor limit to specific queues - For other services: See Required AWS permissions
- For EC2 workflows: Attach
Click Next.
Enter a role name:
NewRelicWorkflowAutomationRole(or your preferred name)Optionally add a description: "Allows New Relic workflow automation to perform actions in AWS", and click Create role.
Verify the trust policy
After creating the role, verify the trust relationship:
In the IAM console, select your newly created role
Click the Trust relationships tab
Confirm the policy matches this structure (replace
<YOUR_NR_ACCOUNT_ID>with your actual account ID):{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "sts:AssumeRole","Principal": {"AWS": "arn:aws:iam::253490767857:root"},"Condition": {"StringEquals": {"sts:ExternalId": "<YOUR_NR_ACCOUNT_ID>"}}}]}
Copy your role ARN
You'll need the role ARN to configure workflows:
In the IAM console, select your role
In the Summary section, locate the ARN field
Copy the full ARN—it looks like:
arn:aws:iam::123456789012:role/NewRelicWorkflowAutomationRoleSave this ARN securely—you'll paste it directly into workflow configurations
Tip
Important: Role ARNs go directly in workflow inputs—don't store them in secrets manager. They're not sensitive credentials; they're resource identifiers.
The role is now configured. Use the ARN in workflow configurations that require AWS access.
Use this method for testing environments or when IAM roles aren't supported. Access keys are long-lived credentials that require manual rotation.
Use cases:
Testing and development environments
AWS configurations that don't support cross-account role assumption
Simplified authentication workflows
Caution
Access keys are long-lived credentials. Rotate them regularly (every 90 days) and limit permissions to only what your workflows need.
Create the IAM user
Sign in to the AWS IAM Console
Navigate to Users > Create user and enter a username:
workflow-automation-user(or your preferred name)Click Next
On the Set permissions page, choose Attach policies directly
Search for and select policies based on your workflows:
- For SQS: Select
AmazonSQSFullAccess - For EC2: Select
AmazonEC2ReadOnlyAccess - Or create a custom policy with limited permissions (recommended)
- For SQS: Select
Click Next, then Create user
Generate access keys
In the users list, select your newly created user
Click the Security credentials tab
In the Access keys section, choose Create access key
Select Application running outside AWS and click Next
(Optional) Add a description tag: "New Relic workflow automation"
Choose Create access key
Copy both credentials immediately:
- Access key ID (starts with
AKIA...) - Secret access key (shown only once)
Important
AWS displays the secret access key only once during creation. If you don't save it, you'll need to generate a new key pair.
- Access key ID (starts with
Store credentials securely
Never hardcode AWS credentials in workflows. Store them in New Relic's secrets manager instead.
Open the NerdGraph GraphiQL explorer
Run this mutation to store your Access Key ID (replace the placeholder values):
mutation {secretsManagementCreateSecret(scope: { type: ACCOUNT, id: "YOUR_NR_ACCOUNT_ID" }namespace: "aws"key: "awsAccessKeyId"description: "AWS Access Key ID for workflow automation"value: "YOUR_AWS_ACCESS_KEY_ID") {key}}Run another mutation for your Secret Access Key:
mutation {secretsManagementCreateSecret(scope: { type: ACCOUNT, id: "YOUR_NR_ACCOUNT_ID" }namespace: "aws"key: "awsSecretAccessKey"description: "AWS Secret Access Key for workflow automation"value: "YOUR_AWS_SECRET_ACCESS_KEY") {key}}Reference these secrets in workflows using the syntax:
${{ :secrets:awsAccessKeyId }}Tip
Use the
namespacefield to organize secrets by environment (aws-prod,aws-staging) or team name.
Session tokens provide temporary credentials with automatic expiration.
Use cases:
Local development and testing
CI/CD pipelines requiring credential rotation
Environments with compliance requirements for time-limited access (typically 1-12 hours)
Prerequisites
An existing IAM role you can assume
Generate temporary credentials
Open your terminal and run this command (replace with your role ARN):
bash$aws sts assume-role \>--role-arn "arn:aws:iam::YOUR_ACCOUNT:role/YOUR_ROLE" \>--role-session-name "WorkflowAutomationSession"If this is your first time using AWS CLI, you may need to configure it with
aws configureand enter your access credentials:
AWS returns three values—you need all three:
{"Credentials": {"AccessKeyId": "ASIAIOSFODNN7EXAMPLE","SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY","SessionToken": "FQoGZXIvYXdzEBk...","Expiration": "2025-01-25T12:00:00Z"}}Store all three credentials in secrets manager:
AccessKeyIdstore asawsAccessKeyIdSecretAccessKeystore asawsSecretAccessKeySessionTokenstore asawsSessionTokenCaution
Session tokens expire (typically after 1 hour). Set a reminder to refresh them before the
Expirationtimestamp, or your workflows will fail with authentication errors.
Use credentials in workflows
After setting up authentication, reference your credentials in workflow configurations:
IAM role (recommended)
Paste the role ARN directly into workflow inputs—no secrets manager needed:
awsRoleArn: arn:aws:iam::123456789012:role/NewRelicWorkflowAutomationRoleTip
Role ARNs are resource identifiers, not sensitive credentials. Don't store them in secrets manager—paste them directly into workflow configurations.
IAM user or session tokens
Reference secrets manager for access keys:
awsAccessKeyId: ${{ :secrets:awsAccessKeyId }}awsSecretAccessKey: ${{ :secrets:awsSecretAccessKey }}awsSessionToken: ${{ :secrets:awsSessionToken }} # Only for session tokensNew Relic retrieves secrets at runtime, authenticates with AWS, then discards them. Your credentials never appear in logs or workflow history.
Policy examples
Use these complete IAM policy templates for common workflow types. Each follows the principle of least privilege by restricting access to specific resources.
Additional resources
For comprehensive AWS permission references:
AWS integrations managed policies: Complete list of AWS permissions by service, plus CloudFormation templates you can adapt
Set up AWS API polling: Additional setup patterns
Important
Those resources use account ID
754728514883for cloud integrations (monitoring). For workflow automation, always use253490767857.
What's next
- Create destinations: Set up Slack, email, or webhook notifications.
- Actions catalog: View all available AWS, New Relic, and integration actions.