Vault Metrics
You can monitor the usage of your Vault service master encryption keys and secrets by using metrics , alarms , and notifications. For more information, see Monitoring Overview and Notifications Overview.
This topic describes the metrics emitted by the Vault service in the oci_kms_keys
and oci_secrets
namespace.
Resources: master encryption keys and secrets.
Overview of the Vault Service Metrics
Vault service metrics help you measure the success and error count of cryptographic operations on keys and the success and error count of HTTP responses to get, create, and update (getSecretBundle, listSecretBundleVersions, createSecret, and updateSecret) operations during the selected time range. You can use metrics data to diagnose and troubleshoot problems with keys and secrets.
To view a default set of metrics charts in the Console, navigate to the key or secret that you're interested in, and then click Metrics. You also can use the Monitoring service to create custom queries.
Prerequisites
IAM policies: To monitor resources, you must be given the required type of access in a policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. The policy must give you access to the monitoring services as well as the resources being monitored. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment you should work in. For more information on user authorizations for monitoring, see the Authentication and Authorization section for the related service: Monitoring or Notifications.
Available Metrics: oci_kms_keys
The metrics listed in the following table are automatically available for any master encryption keys that you create. You do not need to enable monitoring on the resource to get these metrics.
Vault service metrics for keys include the following dimensions :- RESOURCEDISPLAYNAME
- The friendly name of the resource to which the metrics apply.
- RESOURCEID
- The OCID of the resource to which the metrics apply.
- RESPONSECODE
- The HTTP response code to the cryptographic operation to which the metrics apply.
Metric | Metric Display Name | Unit | Description | Dimensions |
---|---|---|---|---|
EncryptResponseCount
|
Encrypt Response Count |
count |
HTTP responses received by the service for Encrypt calls. |
resourceDisplayName
|
DecryptResponseCount
|
Decrypt Response Count |
count |
HTTP responses received by the service for Decrypt calls. |
|
GenerateDataEncryptionKeyResponseCount
|
GenerateDataEncryptionKey Response Count |
count |
HTTP responses received by the service for GenerateDataEncryptionKey calls. |
Available Metrics: oci_secrets
The metrics listed in the following table are automatically available for any secrets that you create. You do not need to enable monitoring on the resource to get these metrics.
Vault service metrics for secrets include the following dimensions :- DISPLAYNAME
- The friendly name of the resource to which the metrics apply.
- RESOURCEID
- The OCID of the resource to which the metrics apply.
- RESPONSECODE
- The HTTP response code to the operation to which the metrics apply.
Metric | Metric Display Name | Unit | Description | Dimensions |
---|---|---|---|---|
GetSecretBundle
|
GetSecretBundle |
count |
HTTP responses received by the service for GetSecretBundle calls during the selected time range. |
displayName
|
ListSecretBundleVersions
|
ListSecretBundleVersions |
count |
HTTP responses received by the service for ListSecretBundleVersions calls during the selected time range. |
|
CreateSecret
|
CreateSecret |
count |
HTTP responses received by the service for CreateSecret calls during the selected time range. |
|
UpdateSecret
|
UpdateSecret |
count |
HTTP responses received by the service for UpdateSecret calls during the selected time range. |
Using the Console
-
Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
- Click a vault to view the resources it contains.
- Click a key name to view its details.
- Under Resources, click Metrics.
For more information about monitoring metrics and using alarms, see Monitoring Overview. For information about notifications for alarms, see Notifications Overview.
- Open the navigation menu. Under Solutions and Platform, go to Monitoring and click Service Metrics.
- For Compartment, select the compartment that contains the master encryption keys that you're interested in.
-
For Metric Namespace, select oci_kms_keys.
The Service Metrics page dynamically updates the page to show charts for each metric that is emitted by the selected metric namespace.
If there are multiple master encryption keys in the compartment, the charts default to show a separate line for each master encryption key. You can instead show a single line aggregated across all master encryption keys in the compartment by selecting the Aggregate Metric Streams check box.
For more information about monitoring metrics and using alarms, see Monitoring Overview. For information about notifications for alarms, see Notifications Overview.
-
Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
- Click a vault to view the resources it contains.
- Click Secrets.
- Click a secret name to view its details.
- Under Resources, click Metrics.
For more information about monitoring metrics and using alarms, see Monitoring Overview. For information about notifications for alarms, see Notifications Overview.
- Open the navigation menu. Under Solutions and Platform, go to Monitoring and click Service Metrics.
- For Compartment, select the compartment that contains the secrets that you're interested in.
-
For Metric Namespace, select oci_secrets.
The Service Metrics page dynamically updates the page to show charts for each metric that is emitted by the selected metric namespace.
If there are multiple secrets in the compartment, the charts default to show a separate line for each secret. You can instead show a single line aggregated across all secrets in the compartment by selecting the Aggregate Metric Streams check box.
For more information about monitoring metrics and using alarms, see Monitoring Overview. For information about notifications for alarms, see Notifications Overview.
Using the API
For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.
Use the following APIs for monitoring:
- Monitoring API for metrics and alarms
- Notifications API for notifications (used with alarms)