Vault integration for Grafana Cloud
Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. This integration allows you to monitor metrics from Vault.
Pre-install configuration for the Vault integration
This integration monitors a Hashicorp Vault using the built-in Prometheus metrics collector, shipped natively with Vault.
In order to enable and properly setup the Prometheus metrics in your Vault, refer to the official HashiCorp guide.
To do so, add the following snippet to your node configuration file.
telemetry {
disable_hostname = true
prometheus_retention_time = "12h"
}
It is also necessary to issue an auth token for prometheus to scrape the metrics endpoint, which is protected. This is also described on the previously referred documentation.
Install Vault integration for Grafana Cloud
- In your Grafana Cloud instance, click Integrations and Connections (lightning bolt icon).
- Navigate to the Vault tile and review the prerequisites. Then click Install integration.
- Once the integration is installed, follow the steps on the Configuration Details page to setup Grafana Agent and start sending Vault metrics to your Grafana Cloud instance.
Post-install configuration for the Vault integration
After enabling the metrics generation, instruct Grafana Agent to scrape your Vault nodes.
Vault exposes a /v1/sys/metrics
endpoint. To scrape it, add the snippet below to your agent configuration file.
Make sure to change targets
, scheme
(http is selected by default) and authorization
in the snippet according to your environment.
metrics:
wal_directory: /tmp/wal
configs:
- name: integrations
scrape_configs:
- job_name: integrations/vault
metrics_path: /v1/sys/metrics
params:
format: ['prometheus']
scheme: http
authorization:
credentials_file: /etc/prometheus/prometheus-token
static_configs:
- targets: ['localhost:8200']
Instead of using static discovery, consul service discovery can be used to discover Active vault member:
metrics:
wal_directory: /tmp/wal
configs:
- name: integrations
scrape_configs:
- job_name: integrations/vault
metrics_path: /v1/sys/metrics
params:
format: ['prometheus']
scheme: http
authorization:
credentials_file: /etc/prometheus/prometheus-token
consul_sd_configs:
- server: 'consul.service.consul:8500'
services: ['vault']
tags: ['active']
relabel_configs:
- source_labels: ['__meta_consul_tags']
regex: '(.*)http(.*)'
action: keep
- source_labels: [__meta_consul_node]
target_label: instance
Dashboards
The Vault integration installs the following dashboards in your Grafana Cloud instance to help monitor your metrics.
- Hashicorp Vault
Vault overview
Metrics
The following metrics are automatically written to your Grafana Cloud instance by connecting your Vault instance through this integration:
- vault_audit_log_request_count
- vault_audit_log_request_failure
- vault_audit_log_response_count
- vault_audit_log_response_failure
- vault_consul_delete_count
- vault_consul_get_count
- vault_consul_list_count
- vault_consul_put_count
- vault_core_handle_request_count
- vault_core_unsealed
- vault_expire_num_leases
- vault_identity_num_entities
- vault_policy_get_policy_count
- vault_policy_set_policy_count
- vault_runtime_alloc_bytes
- vault_runtime_heap_objects
- vault_runtime_malloc_count
- vault_runtime_num_goroutines
- vault_secret_kv_count
- vault_token_count
- vault_token_count_by_auth
- vault_token_count_by_policy
- vault_token_count_by_ttl
- vault_token_create_count
- vault_token_creation
- vault_token_lookup_count
- vault_token_store_count
Changelog
# 0.0.3 - December 2022
* Change panels to timeseries
* Change old bar charts to new bar gauges
* Add job, instance selectors
* Fix secrets table, add gauge to the table
# 0.0.2 - October 2022
* Updating mixin with the latest piechart panel
# 0.0.1 - October 2021
* Initial release
Cost
By connecting your Vault instance to Grafana Cloud you might incur charges. To view information on the number of active series that your Grafana Cloud account uses for metrics included in each Cloud tier, see Active series and dpm usage and Cloud tier pricing.