Set up AWS credentials

Configure AWS authentication for New Relic workflow automation. Choose between IAM roles, IAM users, or session tokens to securely connect workflows with AWS services like EC2, SQS, and DynamoDB.

Prerequisites

Before setting up AWS credentials, ensure you have:

An AWS account with permission to create IAM roles or users.
Your New Relic account ID.
Admin access to the AWS IAM Console.

Required permissions

Before creating credentials, understand what permissions your workflows need. Grant only the permissions your workflows actually use—this follows the principle of least privilege and minimizes security risk.

Common workflow permissions

Workflow type	Required AWS permissions	Description
EC2 management	`ec2:DescribeInstances` `ec2:StopInstances` `ec2:StartInstances` `ec2:ModifyInstanceAttribute`	Stop, start, or modify EC2 instances in response to alerts
SQS messaging	`sqs:SendMessage` `sqs:GetQueueAttributes`	Send messages to SQS queues for downstream processing
DynamoDB	`dynamodb:Query` `dynamodb:GetItem` `dynamodb:PutItem`	Read from or write to DynamoDB tables

Sugerencia

Start with read-only permissions (Describe*, Get*, List*), then add write permissions (Put*, Create*, Delete*) only as needed. This prevents accidental destructive actions during testing.

See AWS policy examples for complete IAM policy templates for these workflow types.

Choose your authentication method

Method	Use cases	Characteristics
IAM role (recommended)	Production workflows, all AWS services	Credentials rotate automatically Access is time-limited by design All actions are logged in AWS CloudTrail Aligns with AWS security best practices
IAM user with access keys	Testing and development environments AWS configurations that don't support cross-account role assumption Simplified authentication workflows	Access keys are long-lived credentials Rotate them regularly (every 90 days) Limit permissions to only what your workflows need
Session tokens	Local development and testing CI/CD pipelines requiring credential rotation Environments with compliance requirements for time-limited access (typically 1-12 hours)	Temporary credentials with automatic expiration Session tokens expire (typically after 1 hour) Set a reminder to refresh them before expiration

Using credentials in workflows

After setting up authentication, reference your credentials in workflow configurations:

IAM role (recommended)

Paste the role ARN directly into workflow inputs—no secrets manager needed:

awsRoleArn: arn:aws:iam::123456789012:role/NewRelicWorkflowAutomationRole

Importante

Role ARNs are resource identifiers, not sensitive credentials. Don't store them in secrets manager—paste them directly into workflow configurations.

IAM user or session tokens

Reference secrets manager for access keys:

awsAccessKeyId: ${{ :secrets:awsAccessKeyId }}
awsSecretAccessKey: ${{ :secrets:awsSecretAccessKey }}
awsSessionToken: ${{ :secrets:awsSessionToken }}  # Only for session tokens

New Relic retrieves secrets at runtime, authenticates with AWS, then discards them. Your credentials never appear in logs or workflow history.

IAM role setup

Configure IAM role for production workflows (recommended)

IAM user setup

Set up IAM user with access keys for testing

Session tokens setup

Generate temporary session tokens for local development

AWS policy examples

Complete IAM policies for EC2, SQS, DynamoDB, and more

AWS actions

Browse EC2, Lambda, S3, SQS, and other AWS actions

EC2 management example

See AWS credentials in action with EC2 workflows

Prerequisites.css-21sua1{background:none;border:none;width:0;padding:0;}