Monitoring Vault Resources
Monitor vault management resources using metrics, alarms, and notifications.
For more information, see Monitoring and Notifications.
Overview of the Vault Metrics
Vault service metrics help you measure the success and error count of cryptographic operations on keys and the success and error count of HTTP responses to get, create, and update (getSecretBundle, listSecretBundleVersions, createSecret, and updateSecret) operations during the selected time range. You can use metrics data to diagnose and troubleshoot problems with keys and secrets.
To view a default set of metrics charts in the Console, navigate to the key or secret that you're interested in, and then click Metrics. You also can use the Monitoring service to create custom queries.
Prerequisites
IAM policies: To monitor resources, you must be given the required type of access in a policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. The policy must give you access to the monitoring services as well as the resources being monitored. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment you should work in. For more information about user authorizations for monitoring, see IAM Policies (Monitoring).
Available Metrics: oci_kms_keys
The metrics listed in the following table are automatically available for any master encryption keys that you create. You do not need to enable monitoring on the resource to get these metrics.
Vault service metrics for keys include the following dimensions :- RESOURCEDISPLAYNAME
- The friendly name of the resource to which the metrics apply.
- RESOURCEID
- The OCID of the resource to which the metrics apply.
- RESPONSECODE
- The HTTP response code to the cryptographic operation to which the metrics apply.
| Metric | Metric Display Name | Unit | Description | Dimensions |
|---|---|---|---|---|
EncryptResponseCount
|
Encrypt Response Count |
count |
HTTP responses received by the service for Encrypt calls. |
resourceDisplayName
|
DecryptResponseCount
|
Decrypt Response Count |
count |
HTTP responses received by the service for Decrypt calls. |
|
GenerateDataEncryptionKeyResponseCount
|
GenerateDataEncryptionKey Response Count |
count |
HTTP responses received by the service for GenerateDataEncryptionKey calls. |
Available Metrics: oci_secrets
The metrics listed in the following table are automatically available for any secrets that you create. You do not need to enable monitoring on the resource to get these metrics.
Vault service metrics for secrets include the following dimensions :- DISPLAYNAME
- The friendly name of the resource to which the metrics apply.
- RESOURCEID
- The OCID of the resource to which the metrics apply.
- RESPONSECODE
- The HTTP response code to the operation to which the metrics apply.
| Metric | Metric Display Name | Unit | Description | Dimensions |
|---|---|---|---|---|
GetSecretBundle
|
GetSecretBundle |
count |
HTTP responses received by the service for GetSecretBundle calls during the selected time range. |
displayName
|
ListSecretBundleVersions
|
ListSecretBundleVersions |
count |
HTTP responses received by the service for ListSecretBundleVersions calls during the selected time range. |
|
CreateSecret
|
CreateSecret |
count |
HTTP responses received by the service for CreateSecret calls during the selected time range. |
|
UpdateSecret
|
UpdateSecret |
count |
HTTP responses received by the service for UpdateSecret calls during the selected time range. |
View Vault Resource Metrics Using the Console
Use the Console to view vault metric charts for master encryption keys and secrets.
-
- Click a vault to view the resources it contains.
- Click a key name to view its details.
- Under Resources, click Metrics.
For more information about monitoring metrics and using alarms, see Monitoring. For information about notifications for alarms, see Notifications.
- Open the navigation menu and click Observability & Management. Under Monitoring, click Service Metrics.
- For Compartment, select the compartment that contains the master encryption keys that you're interested in.
-
For Metric namespace, select oci_kms_keys.
The Service Metrics page dynamically updates the page to show charts for each metric that is emitted by the selected metric namespace.
If there are multiple master encryption keys in the compartment, the charts default to show a separate line for each master encryption key. You can instead show a single line aggregated across all master encryption keys in the compartment by selecting the Aggregate Metric Streams check box.
For more information about monitoring metrics and using alarms, see Monitoring. For information about notifications for alarms, see Notifications.
-
- Click a vault to view the resources it contains.
- Click Secrets.
- Click a secret name to view its details.
- Under Resources, click Metrics.
For more information about monitoring metrics and using alarms, see Monitoring. For information about notifications for alarms, see Notifications.
- Open the navigation menu and click Observability & Management. Under Monitoring, click Service Metrics.
- For Compartment, select the compartment that contains the secrets that you're interested in.
-
For Metric namespace, select oci_secrets.
The Service Metrics page dynamically updates the page to show charts for each metric that is emitted by the selected metric namespace.
If there are multiple secrets in the compartment, the charts default to show a separate line for each secret. You can instead show a single line aggregated across all secrets in the compartment by selecting the Aggregate Metric Streams check box.
For more information about monitoring metrics and using alarms, see Monitoring. For information about notifications for alarms, see Notifications.
Monitoring Vault Metrics Using the API
Use the API operations for monitoring vault metrics.
For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.
Use the following APIs for monitoring:
- Monitoring API for metrics and alarms
- Notifications API for notifications (used with alarms)