Customer satisfaction is our top priority and we’re evolving our systems to bring you the best experience on the market. In an effort to reduce the number of calls we make to AWS APIs, to reduce throttling errors, and to fetch your metrics even faster, we’re changing our systems to work in a more efficient way.
What is happening?
We are changing how we retrieve AWS tag information starting August 12th 2020.
New Relic Infrastructure integrations have been designed to function with AWS ReadOnlyAccess policies. We’re working to reduce the number of requests to the AWS APIs to reduce throttling and improve our monitoring service.
As part of our strategy, we will start using the Resource Tagging API (RTA) to retrieve the AWS tags instead of using CloudWatch. This allows us to be more efficient regarding the number of API calls we make. To do this, we need ReadOnlyAccess to the Resource Groups Tagging API.
Who is impacted?
Please bring this to the attention of the person responsible for the AWS IAM Role used for the New Relic integration.
Some of our customers with the AWS integration configured will need to update their AWS Policy used for the integration.
You can check your Policy to see if you have the correct permissions set. With some customers’ current New Relic policy configuration New Relic can’t access Resource Groups Tagging API, which is a crucial resource for the upcoming change.
What do you need to do?
Please, make sure that the Policy in the Role used by the New Relic Infrastructure integration has the tag:GetResources permission by August 12th.
To find the relevant role you can navigate to Infrastructure -> AWS -> Manage Services:
Here you will see the ARN, which is a combination of the AWS account number and the role used for the integration.
To check for errors related to your role missing the tag:GetResources permission, go to Infrastructure -> AWS -> Account status dashboard:
In the Permission errors chart, if you see the message GetResources then you should check the role and ensure the permission is granted. Example (line 4, 5, 6):
If you have many AWS accounts and you would like to check which provider account is affected by this change, you can run the following query in Insights:
SELECT count(*) as 'Number of errors', max(timestamp) as 'Last seen' FROM IntegrationError WHERE error = 'ServiceAccessDenied' and method = 'GetResources' FACET dataSourceName, providerAccountName SINCE 1 day ago
What happens if you don’t make the recommended changes?
If you don’t update your integration role for AWS and include this permission you won’t be able to see tags for most of the AWS integrations starting from August 12th.
For further information
If you have any questions, please respond to this post or contact your New Relic account team.
Note: The change date has been revised from August 5th to August 12th.