preview
We're still working on this feature, but we'd love for you to try it out!
This feature is currently provided as part of a preview program pursuant to our pre-release policies.
Authorize New Relic workflow automation to perform actions in your AWS account. You'll configure an authentication method that allows workflows to securely interact with AWS services like EC2, SQS, DynamoDB, and more—without hardcoding credentials or compromising security.
Prerequisites
Before setting up AWS credentials, ensure you have:
- An AWS account with permission to create IAM roles or users.
- Your New Relic account ID.
- Admin access to the AWS IAM Console.
Understand required permissions
Before creating credentials, understand what permissions your workflows need. Grant only the permissions your workflows actually use—this follows the principle of least privilege and minimizes security risk.
Common workflow permissions
| Workflow type | Required AWS permissions | Description |
|---|---|---|
| EC2 management | ec2:DescribeInstancesec2:StopInstancesec2:StartInstancesec2:ModifyInstanceAttribute | Stop, start, or modify EC2 instances in response to alerts |
| SQS messaging | sqs:SendMessagesqs:GetQueueAttributes | Send messages to SQS queues for downstream processing |
| API Gateway | apigateway:GETapigateway:PUT | Roll back API Gateway deployments or configurations |
| Systems Manager | ssm:CreateDocumentssm:DeleteDocumentssm:StartAutomationExecutionssm:GetAutomationExecution | Execute automation runbooks |
| DynamoDB | dynamodb:Querydynamodb:GetItemdynamodb:PutItem | Read from or write to DynamoDB tables |
Sugerencia
Start with read-only permissions (Describe*, Get*, List*), then add write permissions (Put*, Create*, Delete*) only as needed. This prevents accidental destructive actions during testing.
See Policy examples below for complete IAM policy templates.
Set up authentication
Choose the method that matches your use case from the table above:
An IAM role allows New Relic to assume temporary credentials in your AWS account without requiring permanent access keys.
IAM role characteristics:
Credentials rotate automatically
Access is time-limited by design
All actions are logged in AWS CloudTrail
Aligns with AWS security best practices
Create the role in AWS
- Sign in to the AWS IAM Console
- Navigate to Roles > Create role > Trusted entity type and select AWS account > another AWS account
- In the Account ID field, enter:
253490767857 - Under Options, check Require external ID
- In the External ID field, enter your New Relic account ID and click Next.
- Don't have it? Find your account ID here
- On the Add permissions page, attach policies based on your workflows:
- For EC2 workflows: Attach
AmazonEC2ReadOnlyAccessor create a custom policy - For SQS workflows: Attach
AmazonSQSFullAccessor limit to specific queues - For other services: See Required AWS permissions below
Click Next.
Enter a role name:
NewRelicWorkflowAutomationRole(or your preferred name)Optionally add a description: "Allows New Relic workflow automation to perform actions in AWS", and click Create role.
Verify the trust policy
After creating the role, verify the trust relationship:
In the IAM console, select your newly created role
Click the Trust relationships tab
Confirm the policy matches this structure (replace
<YOUR_NR_ACCOUNT_ID>with your actual account ID):{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "sts:AssumeRole","Principal": {"AWS": "arn:aws:iam::253490767857:root"},"Condition": {"StringEquals": {"sts:ExternalId": "<YOUR_NR_ACCOUNT_ID>"}}}]}Copy your role ARN
You'll need the role ARN to configure workflows:
In the IAM console, select your role
In the Summary section, locate the ARN field
Copy the full ARN—it looks like:
arn:aws:iam::123456789012:role/NewRelicWorkflowAutomationRoleSave this ARN securely—you'll paste it directly into workflow configurations
Sugerencia
Important: Role ARNs go directly in workflow inputs—don't store them in secrets manager. They're not sensitive credentials; they're resource identifiers.
The role is now configured. Use the ARN in workflow configurations that require AWS access.
Use this method for testing environments or when IAM roles aren't supported. Access keys are long-lived credentials that require manual rotation.
Use cases:
Testing and development environments
AWS configurations that don't support cross-account role assumption
Simplified authentication workflows
Advertencia
Access keys are long-lived credentials. Rotate them regularly (every 90 days) and limit permissions to only what your workflows need.
Create the IAM user
- Sign in to the AWS IAM Console
- Navigate to Users > Create user and enter a username:
workflow-automation-user(or your preferred name) - Click Next
- On the Set permissions page, choose Attach policies directly
- Search for and select policies based on your workflows:
- For SQS: Select
AmazonSQSFullAccess - For EC2: Select
AmazonEC2ReadOnlyAccess - Or create a custom policy with limited permissions (recommended)
Click Next, then Create user
Generate access keys
In the users list, select your newly created user
Click the Security credentials tab
In the Access keys section, choose Create access key
Select Application running outside AWS and click Next
(Optional) Add a description tag: "New Relic workflow automation"
Choose Create access key
Copy both credentials immediately:
Access key ID (starts with
AKIA...)Secret access key (shown only once)
Importante
AWS displays the secret access key only once during creation. If you don't save it, you'll need to generate a new key pair.
Store credentials securely
Never hardcode AWS credentials in workflows. Store them in New Relic's secrets manager instead.
Open the NerdGraph GraphiQL explorer
Run this mutation to store your Access Key ID (replace the placeholder values):
mutation {secretsManagementCreateSecret(scope: { type: ACCOUNT, id: "YOUR_NR_ACCOUNT_ID" }namespace: "aws"key: "awsAccessKeyId"description: "AWS Access Key ID for workflow automation"value: "YOUR_AWS_ACCESS_KEY_ID") {key}}Run another mutation for your Secret Access Key:
mutation {secretsManagementCreateSecret(scope: { type: ACCOUNT, id: "YOUR_NR_ACCOUNT_ID" }namespace: "aws"key: "awsSecretAccessKey"description: "AWS Secret Access Key for workflow automation"value: "YOUR_AWS_SECRET_ACCESS_KEY") {key}}Reference these secrets in workflows using the syntax:
${{ :secrets:awsAccessKeyId }}Sugerencia
Use the
namespacefield to organize secrets by environment (aws-prod,aws-staging) or team name.
Session tokens provide temporary credentials with automatic expiration.
Use cases:
Local development and testing
CI/CD pipelines requiring credential rotation
Environments with compliance requirements for time-limited access (typically 1-12 hours)
Prerequisites:
An existing IAM role you can assume
Generate temporary credentials
Open your terminal and run this command (replace with your role ARN):
bash$aws sts assume-role \>--role-arn "arn:aws:iam::YOUR_ACCOUNT:role/YOUR_ROLE" \>--role-session-name "WorkflowAutomationSession"If this is your first time using AWS CLI, you may need to configure it with
aws configureand enter your access credentials:
AWS returns three values—you need all three:
{"Credentials": {"AccessKeyId": "ASIAIOSFODNN7EXAMPLE","SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY","SessionToken": "FQoGZXIvYXdzEBk...","Expiration": "2025-01-25T12:00:00Z"}}Store all three credentials in secrets manager:
AccessKeyIdstore asawsAccessKeyIdSecretAccessKeystore asawsSecretAccessKeySessionTokenstore asawsSessionTokenAdvertencia
Session tokens expire (typically after 1 hour). Set a reminder to refresh them before the
Expirationtimestamp, or your workflows will fail with authentication errors.
Use credentials in workflows
After setting up authentication, reference your credentials in workflow configurations:
IAM role (recommended)
Paste the role ARN directly into workflow inputs—no secrets manager needed:
awsRoleArn: arn:aws:iam::123456789012:role/NewRelicWorkflowAutomationRoleSugerencia
Role ARNs are resource identifiers, not sensitive credentials. Don't store them in secrets manager—paste them directly into workflow configurations.
IAM user or session tokens
Reference secrets manager for access keys:
awsAccessKeyId: ${{ :secrets:awsAccessKeyId }}awsSecretAccessKey: ${{ :secrets:awsSecretAccessKey }}awsSessionToken: ${{ :secrets:awsSessionToken }} # Only for session tokensNew Relic retrieves secrets at runtime, authenticates with AWS, then discards them. Your credentials never appear in logs or workflow history.
Policy examples
Use these complete IAM policy templates for common workflow types. Each follows the principle of least privilege by restricting access to specific resources.
Additional resources
For comprehensive AWS permission references:
- AWS integrations managed policies: Complete list of AWS permissions by service, plus CloudFormation templates you can adapt
- Set up AWS API polling: Additional setup patterns
Importante
Those resources use account ID 754728514883 for cloud integrations (monitoring). For workflow automation, always use 253490767857.
Next steps
After configuring AWS credentials, you can create workflows:
Create workflows:
Browse AWS actions: View available AWS operations (EC2, SQS, DynamoDB, etc.)
Use a template: Deploy pre-configured workflows for common AWS automation tasks
Create a custom workflow: Build workflows for your specific requirements
Configure notifications:
- Set up destinations: Configure Slack, PagerDuty, email, or webhook notifications for workflow events