Menu

Vault integration for Grafana Cloud

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. This integration allows you to monitor metrics from Vault.

Pre-install configuration for the Vault integration

This integration monitors a Hashicorp Vault using the built-in Prometheus metrics collector, shipped natively with Vault.

In order to enable and properly setup the Prometheus metrics in your Vault, refer to the official HashiCorp guide.

To do so, add the following snippet to your node configuration file.

telemetry {
  disable_hostname = true
  prometheus_retention_time = "12h"
}

It is also necessary to issue an auth token for prometheus to scrape the metrics endpoint, which is protected. This is also described on the previously referred documentation.

Install Vault integration for Grafana Cloud

  1. In your Grafana Cloud instance, click Integrations and Connections (lightning bolt icon).
  2. Navigate to the Vault tile and review the prerequisites. Then click Install integration.
  3. Once the integration is installed, follow the steps on the Configuration Details page to setup Grafana Agent and start sending Vault metrics to your Grafana Cloud instance.

Post-install configuration for the Vault integration

After enabling the metrics generation, instruct Grafana Agent to scrape your Vault nodes.

Vault exposes a /v1/sys/metrics endpoint. To scrape it, add the snippet below to your agent configuration file.

Make sure to change targets, scheme (http is selected by default) and authorization in the snippet according to your environment.

metrics:
  wal_directory: /tmp/wal
  configs:
    - name: integrations
      scrape_configs:
        - job_name: integrations/vault
          metrics_path: /v1/sys/metrics
          params:
            format: ['prometheus']
          scheme: http
          authorization:
            credentials_file: /etc/prometheus/prometheus-token
          static_configs:
            - targets: ['localhost:8200']

Instead of using static discovery, consul service discovery can be used to discover Active vault member:

metrics:
  wal_directory: /tmp/wal
  configs:
    - name: integrations
      scrape_configs:
        - job_name: integrations/vault
          metrics_path: /v1/sys/metrics
          params:
            format: ['prometheus']
          scheme: http
          authorization:
            credentials_file: /etc/prometheus/prometheus-token
          consul_sd_configs:
          - server: 'consul.service.consul:8500'
            services: ['vault']
            tags: ['active']
          relabel_configs:
            - source_labels: ['__meta_consul_tags']
              regex: '(.*)http(.*)'
              action: keep
            - source_labels: [__meta_consul_node]
              target_label: instance

Dashboards

The Vault integration installs the following dashboards in your Grafana Cloud instance to help monitor your metrics.

  • Hashicorp Vault

Vault overview

image

Metrics

The following metrics are automatically written to your Grafana Cloud instance by connecting your Vault instance through this integration:

  • vault_audit_log_request_count
  • vault_audit_log_request_failure
  • vault_audit_log_response_count
  • vault_audit_log_response_failure
  • vault_consul_delete_count
  • vault_consul_get_count
  • vault_consul_list_count
  • vault_consul_put_count
  • vault_core_handle_request_count
  • vault_core_unsealed
  • vault_expire_num_leases
  • vault_identity_num_entities
  • vault_policy_get_policy_count
  • vault_policy_set_policy_count
  • vault_runtime_alloc_bytes
  • vault_runtime_heap_objects
  • vault_runtime_malloc_count
  • vault_runtime_num_goroutines
  • vault_secret_kv_count
  • vault_token_count
  • vault_token_count_by_auth
  • vault_token_count_by_policy
  • vault_token_count_by_ttl
  • vault_token_create_count
  • vault_token_creation
  • vault_token_lookup_count
  • vault_token_store_count

Changelog

# 0.0.3 - December 2022

* Change panels to timeseries
* Change old bar charts to new bar gauges
* Add job, instance selectors
* Fix secrets table, add gauge to the table

# 0.0.2 - October 2022

* Updating mixin with the latest piechart panel

# 0.0.1 - October 2021

* Initial release

Cost

By connecting your Vault instance to Grafana Cloud you might incur charges. To view information on the number of active series that your Grafana Cloud account uses for metrics included in each Cloud tier, see Active series and dpm usage and Cloud tier pricing.