Oracle Cloud Infrastructure Documentation

Vault Metrics

You can monitor the usage of your Vault service master encryption keys and secrets by using metrics , alarms , and notifications. For more information, see Monitoring Overview and Notifications Overview.

This topic describes the metrics emitted by the Vault service in the oci_kms_keys and oci_secrets namespace.

Resources: master encryption keys and secrets.

Overview of the Vault Service Metrics

Vault service metrics help you measure the success and error count of cryptographic operations on keys and the success and error count of HTTP responses to get, create, and update (getSecretBundle, listSecretBundleVersions, createSecret, and updateSecret) operations during the selected time range. You can use metrics data to diagnose and troubleshoot problems with keys and secrets.

To view a default set of metrics charts in the Console, navigate to the key or secret that you're interested in, and then click Metrics. You also can use the Monitoring service to create custom queries.

Prerequisites

IAM policies: To monitor resources, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. The policy must give you access to the monitoring services as well as the resources being monitored. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in. For more information on user authorizations for monitoring, see the Authentication and Authorization section for the related service: Monitoring or Notifications.

Available Metrics: oci_kms_keys

The metrics listed in the following table are automatically available for any master encryption keys that you create. You do not need to enable monitoring on the resource to get these metrics.

Vault service metrics for keys include the following dimensions :
RESOURCEDISPLAYNAME
The friendly name of the resource to which the metrics apply.
RESOURCEID
The OCID  of the resource to which the metrics apply.
RESPONSECODE
The HTTP response code to the cryptographic operation to which the metrics apply.
Metric Metric Display Name Unit Description Dimensions
EncryptResponseCount Encrypt Response Count

count

HTTP responses received by the service for Encrypt calls.

 resourceDisplayName

resourceId

responseCode

DecryptResponseCount Decrypt Response Count

count

HTTP responses received by the service for Decrypt calls.
GenerateDataEncryptionKeyResponseCount GenerateDataEncryptionKey Response Count

count

HTTP responses received by the service for GenerateDataEncryptionKey calls.

Available Metrics: oci_secrets

The metrics listed in the following table are automatically available for any secrets that you create. You do not need to enable monitoring on the resource to get these metrics.

Vault service metrics for secrets include the following dimensions :
DISPLAYNAME
The friendly name of the resource to which the metrics apply.
RESOURCEID
The OCID  of the resource to which the metrics apply.
RESPONSECODE
The HTTP response code to the operation to which the metrics apply.
Metric Metric Display Name Unit Description Dimensions
GetSecretBundle GetSecretBundle

count

HTTP responses received by the service for GetSecretBundle calls during the selected time range.

 displayName

resourceId

responseCode

ListSecretBundleVersions ListSecretBundleVersions

count

HTTP responses received by the service for ListSecretBundleVersions calls during the selected time range.
CreateSecret CreateSecret

count

HTTP responses received by the service for CreateSecret calls during the selected time range.
UpdateSecret UpdateSecret

count

HTTP responses received by the service for UpdateSecret calls during the selected time range.

Using the Console

To view default metric charts for a single master encryption key
  1. Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
  2. Click a vault to view the resources it contains.
  3. Click a key name to view its details.
  4. Under Resources, click Metrics.

For more information about monitoring metrics and using alarms, see Monitoring Overview. For information about notifications for alarms, see Notifications Overview.

To view default metric charts for multiple master encryption keys
  1. Open the navigation menu. Under Solutions and Platform, go to Monitoring and click Service Metrics.
  2. For Compartment, select the compartment that contains the master encryption keys that you're interested in.

  3. For Metric Namespace, select oci_kms_keys.

    The Service Metrics page dynamically updates the page to show charts for each metric that is emitted by the selected metric namespace.

Tip

If there are multiple master encryption keys in the compartment, the charts default to show a separate line for each master encryption key. You can instead show a single line aggregated across all master encryption keys in the compartment by selecting the Aggregate Metric Streams check box.

For more information about monitoring metrics and using alarms, see Monitoring Overview. For information about notifications for alarms, see Notifications Overview.

To view default metric charts for a single secret
  1. Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
  2. Click a vault to view the resources it contains.
  3. Click Secrets.
  4. Click a secret name to view its details.
  5. Under Resources, click Metrics.

For more information about monitoring metrics and using alarms, see Monitoring Overview. For information about notifications for alarms, see Notifications Overview.

To view default metric charts for multiple secrets
  1. Open the navigation menu. Under Solutions and Platform, go to Monitoring and click Service Metrics.
  2. For Compartment, select the compartment that contains the secrets that you're interested in.

  3. For Metric Namespace, select oci_secrets.

    The Service Metrics page dynamically updates the page to show charts for each metric that is emitted by the selected metric namespace.

Tip

If there are multiple secrets in the compartment, the charts default to show a separate line for each secret. You can instead show a single line aggregated across all secrets in the compartment by selecting the Aggregate Metric Streams check box.

For more information about monitoring metrics and using alarms, see Monitoring Overview. For information about notifications for alarms, see Notifications Overview.