Your data. Anywhere you go.

New Relic for iOS or Android


Download on the App Store    Android App on Google play


New Relic Insights App for iOS


Download on the App Store


Learn more

Close icon

Relic Solution: Configuring Custom AWS IAM Permissions for Lambda Monitoring

iam
integration
script
cloudformation
aws-lambda
new-relic-one
serverless
cloudwatch

#1

In most cases, the standard AWS Lambda monitoring instructions provided in our documentation and in the setup wizard in New Relic One will suffice to get you up and running with Lambda monitoring in New Relic One. However, there are cases in which you will need to craft your own setup script in much more detail to include, for example, all of the specific AWS IAM role and policy permissions. In such a case you should make the following considerations:


The role NewRelicLambdaIntegrationRole created with a CloudFormation template nr-lambda-integration-role.yml , by the script, is the role used by New Relic to get metric data from the Lambda integration, like any other AWS service integration.

The role NewRelicLogIngestionFunctionRole is a role automatically created by AWS when installing the function, from the Serverless Application repository. This role only has one permission, lambda:InvokeFunction , given to CloudWatch logs so that it can invoke our log-ingestion-function . You can take a look at the source here:

This role cannot be created separately, because it will conflict with the Lambda installation. At this exact moment we do not have a way to avoid this. Regarding the required user permissions to execute the script this is the list we have found that worked for us:

Resource: *
Actions:
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:DescribeStacks",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:GetRole",
"iam:PassRole",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetFunction",
"logs:DeleteSubscriptionFilter",
"logs:DescribeSubscriptionFilters",
"logs:PutSubscriptionFilter"
"s3:GetObject"

Resource: "arn:aws:serverlessrepo:us-east-1:463657938898:applications/NewRelic-log-ingestion"
Actions:
"serverlessrepo:CreateCloudFormationTemplate"
"serverlessrepo:GetCloudFormationTemplate"

The permission s3:GetObject looks a bit strange but according to AWS documentation it is necessary:

If the required permissions cannot be assigned to the user the other option is for someone with enough permissions to install the Lambda manually through the AWS portal. This process is explained in the New Relic documentation:

After installing the Lambda manually there is still one final step that requires permissions and that is configuring the CloudWatch logs to be sent to our function. That will require the following permissions:

Resource: *
Actions:
"logs:DeleteSubscriptionFilter",
"logs:DescribeSubscriptionFilters",
"logs:PutSubscriptionFilter"