Set up AWS IAM role

An IAM role allows New Relic to assume temporary credentials in your AWS account without requiring permanent access keys. This approach offers several advantages:

Credentials rotate automatically
Access is time-limited by design
All actions are logged in AWS CloudTrail
Aligns with AWS security best practices

Prerequisites

Before creating an IAM role, ensure you have:

An AWS account with permission to create IAM roles
Your New Relic account ID
Admin access to the AWS IAM Console

Set up the IAM role

Create the role in AWS

Sign in to the AWS IAM Console
Navigate to Roles and click Create role
Under Trusted entity type, select AWS account
Select Another AWS account
In the Account ID field, enter: 253490767857
Under Options, check Require external ID
In the External ID field, enter your New Relic account ID and click Next.
- Don't have it? Find your account ID here
On the Add permissions page, attach policies based on your workflows. For example:
- For EC2 workflows: Attach AmazonEC2ReadOnlyAccess or create a custom policy
- For SQS workflows: Attach AmazonSQSFullAccess or limit to specific queues
- For other services, see AWS policy examples
Click Next.
Enter a role name: NewRelicWorkflowAutomationRole (or your preferred name)
Optionally add a description: Allows New Relic workflow automation to perform actions in AWS, and click Create role.

Verify the trust policy

After creating the role, verify the trust relationship:

In the IAM console, select your newly created role
Click the Trust relationships tab
Confirm the policy matches this structure (replace <YOUR_NR_ACCOUNT_ID> with your actual account ID):

{
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": "sts:AssumeRole",
              "Principal": {
                  "AWS": "arn:aws:iam::253490767857:root"  ← Must be this account
              },
              "Condition": {
                  "StringEquals": {
                      "sts:ExternalId": "<YOUR_NR_ACCOUNT_ID>"  ← Must match your NR account
                  }
              }
          }
      ]
  }

What to verify

Principal AWS account is 253490767857 (New Relic's account)
External ID matches your New Relic account ID exactly
Action is sts:AssumeRole
Prudence
Trust policy doesn't match? If the account ID is different, delete the role and recreate it. The account ID must be 253490767857.

Copy your role ARN

You'll need the role ARN to configure workflows.

Important

Role ARNs are resource identifiers, not sensitive credentials. Don't store them in secrets manager—paste them directly into workflow configurations.

To get your role ARN:

In the IAM console, select your role
In the Summary section, locate the ARN field
Copy the full ARN—it looks like: arn:aws:iam::123456789012:role/NewRelicWorkflowAutomationRole
The role is now ready. Use the ARN in your workflows.

AWS credentials overview

Compare IAM role with other authentication methods

AWS policy examples

Find the right IAM permissions for your workflows

IAM user setup

Alternative: Use IAM user for testing environments

EC2 management example

See IAM roles in action with EC2 workflows

Prerequisites.css-21sua1{background:none;border:none;width:0;padding:0;}