In most cases, the standard AWS Lambda monitoring instructions provided in our documentation and in the setup wizard in New Relic One will suffice to get you up and running with Lambda monitoring in New Relic One. However, there are cases in which you will need to craft your own setup script in much more detail to include, for example, all of the specific AWS IAM role and policy permissions. In such a case you should make the following considerations:
NewRelicLambdaIntegrationRole created with a CloudFormation template
nr-lambda-integration-role.yml , by the script, is the role used by New Relic to get metric data from the Lambda integration, like any other AWS service integration.
NewRelicLogIngestionFunctionRole is a role automatically created by AWS when installing the function, from the Serverless Application repository. This role only has one permission,
lambda:InvokeFunction , given to CloudWatch logs so that it can invoke our
log-ingestion-function . You can take a look at the source here:
This role cannot be created separately, because it will conflict with the Lambda installation. At this exact moment we do not have a way to avoid this. Regarding the required user permissions to execute the script this is the list we have found that worked for us:
Resource: * Actions: "cloudformation:CreateChangeSet", "cloudformation:CreateStack", "cloudformation:DescribeStacks", "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetRole", "iam:PassRole", "lambda:AddPermission", "lambda:CreateFunction", "lambda:GetFunction", "logs:DeleteSubscriptionFilter", "logs:DescribeSubscriptionFilters", "logs:PutSubscriptionFilter" "s3:GetObject" Resource: "arn:aws:serverlessrepo:us-east-1:463657938898:applications/NewRelic-log-ingestion" Actions: "serverlessrepo:CreateCloudFormationTemplate" "serverlessrepo:GetCloudFormationTemplate"
s3:GetObject looks a bit strange but according to AWS documentation it is necessary:
If the required permissions cannot be assigned to the user the other option is for someone with enough permissions to install the Lambda manually through the AWS portal. This process is explained in the New Relic documentation:
After installing the Lambda manually there is still one final step that requires permissions and that is configuring the CloudWatch logs to be sent to our function. That will require the following permissions:
Resource: * Actions: "logs:DeleteSubscriptionFilter", "logs:DescribeSubscriptionFilters", "logs:PutSubscriptionFilter"