Why aren't Admin API keys available for users on the New Relic One user model?

New accounts created after July 30th 2020 are on the New Relic One user model. One limitation for these accounts is an inability to create and use an Admin API key:

No access to the Admin API key, which is one of the ways to use our REST API. The REST API limitations are listed below, but note that most of these tasks can be accomplished via the UI

This seems shortsighted and fairly anti-developer. I’m completely unable to use the New Relic Terraform provider because it relies on an Admin API key.

Is there any workaround for single user accounts on the new PAYG plan to be able to benefit from configuration as code tools like Terraform?

4 Likes

Great question. It comes down to us working toward simplification of the APIs and authentication for them.

All net-new API features are going into NerdGraph, our GraphQL API system, which uses Personal API Keys for authentication. Additionally, we are rapidly migrating existing REST API functionality as well. While this does have a migration period which is unfortunate, the simplification and added abilities (like one API key to perform cross-account actions) will drastically improve the developer experience in the near future.

Starting with the 2.x versions of the New Relic provider for Terraform, we require Personal API keys and only rely on the Admin API key for certain resources that have yet to be migrated (Specifically Dashboards and Synthetics as of this writing). A full breakdown of terraform resources and the authentication requirements can be found here.

Thanks @jthurman for the clarification! That’s essentially what I had gathered over the weekend digging into the code for the provider. It’s still pretty unfortunate that the changes to restrict access to Admin API keys occurred prior to the full migration away from needing them in the Terraform provider.

In my experience “yet to be migrated” is code for “not on the short-term roadmap/maybe we’ll do it eventually”. Is there an active issue or timeline for getting the remaining resources migrated?

I don’t see anything specific to the Admin API key retirement currently tracked on the 2.x project or in the open issues. Having this explicitly called out and tracked would go a long ways towards signaling that there is a plan/priority towards supporting all resources for users on the new model.

I’ll also add that while I understand there’s an impetus within New Relic right now to move to the new GraphQL based API I really don’t understand why a decision was green-lit to remove access to legacy Admin API endpoints for new users.

This is the equivalent of sinking the ship before the new one is seaworthy. It’s also hostile to the developer community since it’s now impossible for developers to contribute and help improve New Relic OSS projects that rely on Admin API keys.

See for example that building the Terraform provider and running acceptance tests fails catastrophically without a valid Admin API key:

=== FAIL: newrelic TestAccNewRelicApplicationSettings_Basic (7.42s)
    resource_newrelic_application_settings_test.go:119: [WARN] NEW_RELIC_ADMIN_API_KEY has not been set for acceptance tests
    testing.go:684: Step 0 error: errors during apply:

        Error: 401 response returned: User does not have permission.

So circling back and re-framing my question, is there any workaround/process to grant an Admin API key to developers/users on the new PAYG New Relic One user model to allow them to use and contribute improvements to New Relic OSS projects that still largely depend on the Admin API endpoints?

2 Likes

Hi @joepurdy, we are working internally to remediate the situation. Moving resources into Nerdgraph is part of a larger initiative and will take some time but we have our eyes on a stop gap solution to this problem which will likely do away with the requirement for an Admin API key.

3 Likes

Sounds great @ctrombley28! Any estimate on when that stop gap will be ready? Next week? Next month? Later?

And how will that be broadcast? As it stands I’m basically putting much of the discovery work I had in mind with regard to configuring New Relic with Terraform on hold since I’m completely blocked (much of what I’m doing involves synthetics and dashboards). I’d really appreciate some kind of notice/heads-up when there’s a stop gap or solution in place that unblocks this.

1 Like

Hey @joepurdy - I definitely understand the frustration of not have a date to rely on here. As I am sure you an imagine, it’s difficult to commit to a date as we seek out the solution here.

We do attempt to update threads when solutions are put in place, so keep an eye out here, and feel free to check back in if you do not hear from us for some reason.

1 Like

I’m also very disappointed to find this is the case. I’ve been working on a set of CloudFormation custom resources to get some automation around our dashboards and alerts, and was hoping to do this on my own account without using my company account.

I’m also not thrilled at the idea that these operations will be moved from one type of individual user key to another. I’d be much happier with a system key for this kind of automated process. Having to rebuild all of our alerts and dashboards when the API user leaves the company isn’t a great prospect.

3 Likes

Appreciate your input here @andy3 - completely understand your frustration. We’ll get all of this passed over to the right folks.

1 Like

Have there been any updates on this issue, as last I checked terraform still requires both the API keys in it’s config.

3 Likes

No update yet @sajjal22 - We definitely understand your frustration and I know our teams are talking about this.

Any update on this issue?

1 Like

Hey @rolmos, @andy3, @sajjal22, and @joepurdy! :wave:

I’m happy to jump in here with an update.

The New Relic provider for Terraform now only requires your New Relic Personal API key. This key is available for all users, including those on the New Relic One user model.

You can access your Personal API key by navigating to Account Settings in the upper right menu dropdown, and then click API Keys on the left sidebar.

Feel free to send over any other questions you have!

3 Likes

That’s good news. I’m still having issues with Terraform though, 2.13.5 and a fresh “User API Key” (starts with NRAK).

Error: 401 response returned: Bad API Key or no API Key provided
on main.tf line 29, in resource “newrelic_alert_policy” “disk_usage”:
29: resource “newrelic_alert_policy” “disk_usage” {

Error: 401 response returned: No API key specified
on main.tf line 75, in resource “newrelic_alert_channel” “alert_notification_email”:
75: resource “newrelic_alert_channel” “alert_notification_email” {

I’m guessing NR One accounts still have to wait for newrelic_alert_channel resource to be migrated from REST to NerdGraph?

Hey @rolmos - I’m reaching out to Engineering right now to see what I can find out about this error. I’ll be in touch just as soon as I know more. :+1:

2 Likes

Hi again @rolmos! :wave: Engineering says since you’re running the latest version of the provider, it should be working fine with your User API key. Since it’s not, they’re thinking there’s likely an issue somewhere in your configuration.

That said, would you mind posting some snippets of your config in the Developer Toolkit section of the community? (Obviously leave out any sensitive parts.) Here’s a link to that section. Once you’ve posted there, I’ll ask Engineering to take a look!

Thanks, and happy Friday! :blush:

2 Likes

Hi @rolmos,

Can you share your provider configuration (sensitive data redacted)? Those resources support using your Personal API Key (NRAK-***). It would also be helpful to see what’s on main.tf line 29 and main.tf line 75 (sensitive details redacted).

Your configuration should look like something similar the following:

provider "newrelic" {
  account_id = "<your account ID>"
  api_key = "NRAK-***"
  region = "US"
}

Or if you’re using environment variables:

export NEW_RELIC_ACCOUNT_ID="<your account ID>"
export NEW_RELIC_API_KEY="NRAK-***"
export NEW_RELIC_REGION="US" 

Hope this helps :slight_smile:

2 Likes

Sorry for the noise, it was user error and the example config from the Terraform docs is working fine after updating the API key in the config.

Thanks for the help and Terraform working with NR One accounts!

4 Likes

@rolmos Thanks for letting us know and I’m glad to hear you got it all worked out now! If you run into any other issues though, don’t hesitate to reach out :slightly_smiling_face:

1 Like