Avoid creating NEW_RELIC_LICENSE_KEY environment variable using serverless plugin

I used the serverless-newrelic-lambda-layers plugin to add the new relic lambda layer to my functions.
I had already created the NEW_RELIC_LICENSE_KEY in Secrets Manager but after the deployment, the plugin created an environment variable NEW_RELIC_LICENSE_KEY and displayed the key there.

This leads to the new relic agent startup publishing a warning -

> [NR_EXT] Startup check failed: There is both a AWS Secrets Manager secret and a NEW_RELIC_LICENSE_KEY environment variable set. Recommend removing the NEW_RELIC_LICENSE_KEY environment variable and using the AWS Secrets Manager secret.

How can i disable this? I believe this should never be the case and if setting the environment variable is required, the disableLicenseKeySecret option needs to be set to true.

Hi @kumarharshit,

Thanks for detailing this issue. It’s possible that we are failing to detect your secret since it was manually created. Which version of the Serverless Plugin are you using? I’m assuming version 1.1.8.

To manually create the secret, make sure two things are set:

  1. The license key secret has to be named LicenseKey.
  2. The function’s execution role needs an add-on policy to allow the function to retrieve the license key secret value.

The other thing you could try is to delete the manually created secret and let the Serverless Plugin recreate it. I like to set debug mode on the Serverless Plugin to get more details on any errors that might occur on deploy.

If that still doesn’t work, perhaps it could be a bug in the logic.

If not managedSecretConfigured, we will default to using the environment variable.

There are only two places where we set managedSecretConfigured to true.

  1. If the secret exists
  2. If it doesn’t AND we successfully create it

I’m assuming in your case two things are happening:

  1. We are not detecting your manually created secret. We do this by looking for a secrets policy with a name like NewRelic-ViewLicenseKey-${this.region}. I’m guessing we’re not finding a match in your AWS IAM.
  2. We then fail to create the secret because a secret with the same name already exists (it was manually created).