Monitor EKM usage

You can use Cloud Monitoring to monitor your external key manager (EKM) connection. The following metrics can help you understand your EKM usage:

cloudkms.googleapis.com/ekm/external/request_latencies
cloudkms.googleapis.com/ekm/external/request_count

This page shows you how to create a dashboard to track metrics related to your Cloud EKM keys and external key manager connection, such as request counts and latencies. For more information about these metrics, see cloudkms metrics. For more information about the dashboard creation process described in the following sections, see Managing dashboards by API.

Before you begin

The steps on this page assume the following:

You already have Cloud EKM set up in a project, including an EKM connection and one or more external keys.

Required roles

To get the permissions that you need to create dashboards using the gcloud CLI, ask your administrator to grant you the following IAM roles on your project:

Monitoring Dashboard Configuration Editor (roles/monitoring.dashboardEditor)
Service Usage Consumer (roles/serviceusage.serviceUsageConsumer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to create dashboards using the gcloud CLI. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to create dashboards using the gcloud CLI:

monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.update
serviceusage.services.use

You might also be able to get these permissions with custom roles or other predefined roles.

Create a dashboard to monitor your EKM

To monitor the status of your EKM, create a dashboard that monitors your request count and latencies:

Download the dashboard configuration: ekm-dashboard.json.
Create a custom dashboard with the configuration file by running the following command:
```
gcloud monitoring dashboards create \
--config-from-file=ekm-dashboard.json
```

View your EKM dashboard

In the Google Cloud console, go to the Monitoring page, or use the following button:

Go to Monitoring
Select Resources > Dashboards and view the dashboard named Cloud KMS EKM.

Create an alert policy for EKM metrics

Complete the following steps using the gcloud CLI:

Select a notification channel to receive EKM metrics alerts.
- To use an existing notification channel, first view your channels:
```
gcloud beta monitoring channels list
```
  Choose a channel from the list. Make note of the notification channel ID; you need it later.
- To use a new notification channel, create the channel using an email address:
```
gcloud beta monitoring channels create \
--display-name="Notification channel for EKM latency alert" \
--description="This notification channel receives EKM latency metric alerts" \
--type=email \
--channel-labels=email_address=NOTIFICATION_EMAIL
```
  If successful, this command returns the name of the new channel. Make note of the notification channel ID; you need it later. The output is similar to the following:
```
Created notification channel [projects/PROJECT_ID/notificationChannels/NOTIFICATION_CHANNEL_ID]
```

Create an alerting policy using the monitoring policies create command:

    gcloud alpha monitoring policies create \
        --notification-channels=NOTIFICATION_CHANNEL_ID \
        --aggregation=' {"alignmentPeriod": "60s","perSeriesAligner": "ALIGN_PERCENTILE_99"}' \
        --condition-display-name="EKM Request Latency > 150ms" \
        --condition-filter='resource.type="cloudkms.googleapis.com/Project"
                            metric.type="cloudkms.googleapis.com/ekm/external/request_latencies"
                            metric.labels.ekm_service_region="LOCATION"
                            metric.labels.method="LABEL_METHOD"' \
        --duration="0s" \
        --if="> 150" \
        --display-name="EKM metric latency alert" \
        --trigger-count=1 \
        --combiner='AND'

Replace the following:

NOTIFICATION_CHANNEL_ID: the ID of the notification channel.
LOCATION: the region for which you want to alert on this metric. If you want to alert regardless of region, omit metric.labels.ekm_service_region.
LABEL_METHOD: the method label that you want to alert on—for example, wrap, unwrap, asymmetricSign, checkCryptoSpacePermissions, createKey, getInfo, or getPublicKey. You can use Metrics Explorer to explore metric labels.

What's next

Explore your data across various metric dimensions using Metrics Explorer.
Optional: Create alerting policies.