Hashicorp Vault

Vault is an identity-based secrets and encryption management system. This integration collects Vault's audit logs. The integration also collects token, memory, and storage metrics.

For more information about Vault, see the Hashicorp Vault documentation.

Prerequisites

To collect Vault telemetry, you must install the Ops Agent:

  • For metrics, install version 2.18.2 or higher.
  • For logs, install version 2.18.1 or higher.

This integration supports Vault version 1.6+.

Configure your Vault instance

To collect telemetry from your Vault instance, you must set the prometheus_retention_time field to a non-zero value in your HCL or JSON Vault configuration file.

Full configuration options can be found at https://www.vaultproject.io/docs/configuration
telemetry {
  prometheus_retention_time = "10m"
  disable_hostname = false
}

Additionally, a root user is required to enable audit-log collection and to create a prometheus-metrics ACL policy. A root token is used to add a policy that has read capabilities to the /sys/metrics endpoint. This policy is used to create a Vault token with sufficient permission to collect Vault metrics.

If you are initializing Vault for the first time, then you can use the following script to generate a root token. Otherwise, see Generate Root Tokens Using Unseal Keys for information about generating a root token.

export VAULT_ADDR=http://localhost:8200
# Create simple Vault initialization with 1 key share and a key threshold of 1.
vault operator init -key-shares=1 -key-threshold=1 | head -n3 | cat > .vault-init
VAULT_KEY=$(grep 'Unseal Key 1'  .vault-init | awk '{print $NF}')
VAULT_TOKEN=$(grep 'Initial Root Token:' .vault-init | awk '{print $NF}')
export VAULT_TOKEN
vault operator unseal $VAULT_KEY

# Enable audit logs.
vault audit enable file file_path=/var/log/vault_audit.log

# Create Prometheus ACL policy to access metrics endpoint.
vault policy write prometheus-metrics - << EOF
path "/sys/metrics" {
  capabilities = ["read"]
}
EOF

# Create an example token with the prometheus-metrics policy to access Vault metrics.
# This token is used as `$VAULT_TOKEN` in your Ops Agent configuration for Vault.
vault token create -field=token -policy prometheus-metrics > prometheus-token

Configure the Ops Agent for Vault

Following the guide to Configure the Ops Agent, add the required elements to collect telemetry from Vault instances, and restart the agent.

Example configuration

The following commands create the configuration to collect and ingest telemetry for Vault and restart the Ops Agent.

# Configures Ops Agent to collect telemetry from the app and restart Ops Agent.

set -e

# Create a back up of the existing file so existing configurations are not lost.
sudo cp /etc/google-cloud-ops-agent/config.yaml /etc/google-cloud-ops-agent/config.yaml.bak

# Create a Vault token that has read capabilities to /sys/metrics policy.
# For more information see: https://developer.hashicorp.com/vault/tutorials/monitoring/monitor-telemetry-grafana-prometheus?in=vault%2Fmonitoring#define-prometheus-acl-policy
VAULT_TOKEN=$(cat prometheus-token)


sudo tee /etc/google-cloud-ops-agent/config.yaml > /dev/null << EOF
metrics:
  receivers:
    vault:
      type: vault
      token: $VAULT_TOKEN
      endpoint: 127.0.0.1:8200
  service:
    pipelines:
      vault:
        receivers:
          - vault
logging:
  receivers:
    vault_audit:
      type: vault_audit
      include_paths: [/var/log/vault_audit.log]
  service:
    pipelines:
      vault:
        receivers:
          - vault_audit
EOF

sudo service google-cloud-ops-agent restart

Configure logs collection

To ingest logs from Vault, you must create a receiver for the logs that Vault produces and then create a pipeline for the new receiver.

To configure a receiver for your vault_audit logs, specify the following fields:

Field Default Description
exclude_paths A list of filesystem path patterns to exclude from the set matched by include_paths.
include_paths A list of filesystem paths to read by tailing each file. A wild card (*) can be used in the paths.
record_log_file_path false If set to true, then the path to the specific file from which the log record was obtained appears in the output log entry as the value of the agent.googleapis.com/log_file_path label. When using a wildcard, only the path of the file from which the record was obtained is recorded.
type The value must be vault_audit.
wildcard_refresh_interval 60s The interval at which wildcard file paths in include_paths are refreshed. Given as a time duration, for example 30s or 2m. This property might be useful under high logging throughputs where log files are rotated faster than the default interval.

What is logged

The logName is derived from the receiver IDs specified in the configuration. Detailed fields inside the LogEntry are as follows.

The vault_audit logs contain the following fields in the LogEntry:

Field Type Description
jsonPayload.auth struct
jsonPayload.auth.accessor string This is an HMAC of the client token accessor.
jsonPayload.auth.client_token string This is an HMAC of the client's token ID.
jsonPayload.auth.display_name string This is the display name set by the auth method role or explicitly at secret creation time.
jsonPayload.auth.entity_id string This is a token entity identifier.
jsonPayload.auth.metadata object This will contain a list of metadata key/value pairs associated with the client_token.
jsonPayload.auth.policies object This will contain a list of policies associated with the client_token.
jsonPayload.auth.token_type string
jsonPayload.error string If an error occurred with the request, the error message is included in this field's value.
jsonPayload.request struct
jsonPayload.request.client_token string This is an HMAC of the client's token ID.
jsonPayload.request.client_token_accessor string This is an HMAC of the client token accessor.
jsonPayload.request.data object The data object will contain secret data in key/value pairs.
jsonPayload.request.headers object Additional HTTP headers specified by the client as part of the request.
jsonPayload.request.id string This is the unique request identifier.
jsonPayload.request.namespace.id string
jsonPayload.request.operation string This is the type of operation which corresponds to path capabilities and is expected to be one of: create, read, update, delete, or list.
jsonPayload.request.path string The requested Vault path for operation.
jsonPayload.request.policy_override boolean This is true when a soft-mandatory policy override was requested.
jsonPayload.request.remote_address string The IP address of the client making the request.
jsonPayload.request.wrap_ttl string If the token is wrapped, this displays configured wrapped TTL value as numeric string.
jsonPayload.response struct
jsonPayload.response.data.accessor string This is an HMAC of the client token accessor.
jsonPayload.response.data.creation_time string RFC 3339 format timestamp of the token's creation.
jsonPayload.response.data.creation_ttl string Token creation TTL in seconds.
jsonPayload.response.data.display_name string This is the display name set by the auth method role or explicitly at secret creation time.
jsonPayload.response.data.entity_id string This is a token entity identifier.
jsonPayload.response.data.expire_time string RFC 3339 format timestamp representing the moment this token will expire.
jsonPayload.response.data.explicit_max_ttl string Explicit token maximum TTL value as seconds ("0" when not set).
jsonPayload.response.data.id string This is the unique response identifier.
jsonPayload.response.data.issue_time string RFC 3339 format timestamp.
jsonPayload.response.data.num_uses number If the token is limited to a number of uses, that value will be represented here.
jsonPayload.response.data.orphan boolean Boolean value representing whether the token is an orphan.
jsonPayload.response.data.path string The requested Vault path for operation.
jsonPayload.response.data.policies object This will contain a list of policies associated with the client_token.
jsonPayload.response.data.renewable boolean Boolean value representing whether the token is an orphan.
jsonPayload.type string The type of audit log.
severity string (LogSeverity) Log entry level (translated).

Configure metrics collection

To ingest metrics from Vault, you must create a receiver for the metrics that Vault produces and then create a pipeline for the new receiver.

This receiver does not support the use of multiple instances in the configuration, for example, to monitor multiple endpoints. All such instances write to the same time series, and Cloud Monitoring has no way to distinguish among them.

To configure a receiver for your vault metrics, specify the following fields:

Field Default Description
ca_file Path to the CA certificate. As a client, this verifies the server certificate. If empty, the receiver uses the system root CA.
cert_file Path to the TLS certificate to use for mTLS-required connections.
collection_interval 60s A time duration value, such as 30s or 5m.
endpoint localhost:8200 The 'hostname:port' used by Vault.
insecure true Sets whether or not to use a secure TLS connection. If set to false, then TLS is enabled.
insecure_skip_verify false Sets whether or not to skip verifying the certificate. If insecure is set to true, then the insecure_skip_verify value is not used.
key_file Path to the TLS key to use for mTLS-required connections.
metrics_path /v1/sys/metrics The path for metrics collection.
token localhost:8200 Token used for authentication.
type This value must be vault.

What is monitored

The following table provides the list of metrics that the Ops Agent collects from the Vault instance.

Metric type 
Kind, Type
Monitored resources
Labels
workload.googleapis.com/vault.audit.request.failed
CUMULATIVEINT64
gce_instance
 
workload.googleapis.com/vault.audit.response.failed
CUMULATIVEINT64
gce_instance
 
workload.googleapis.com/vault.core.leader.duration
GAUGEDOUBLE
gce_instance
 
workload.googleapis.com/vault.core.request.count
GAUGEINT64
gce_instance
cluster
workload.googleapis.com/vault.memory.usage
GAUGEDOUBLE
gce_instance
 
workload.googleapis.com/vault.storage.operation.delete.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.delete.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.storage.operation.get.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.get.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.storage.operation.list.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.list.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.storage.operation.put.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.put.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.token.count
GAUGEINT64
gce_instance
cluster
namespace
workload.googleapis.com/vault.token.lease.count
GAUGEINT64
gce_instance
 
workload.googleapis.com/vault.token.renew.time
GAUGEINT64
gce_instance
 
workload.googleapis.com/vault.token.revoke.time
GAUGEINT64
gce_instance
 

Verify the configuration

This section describes how to verify that you correctly configured the Vault receiver. It might take one or two minutes for the Ops Agent to begin collecting telemetry.

To verify that Vault logs are being sent to Cloud Logging, do the following:

  1. In the Google Cloud console, go to the Logs Explorer page:

    Go to Logs Explorer

    If you use the search bar to find this page, then select the result whose subheading is Logging.

  2. Enter the following query in the editor, and then click Run query:
    resource.type="gce_instance"
    log_id("vault_audit")
    

To verify that Vault metrics are being sent to Cloud Monitoring, do the following:

  1. In the Google Cloud console, go to the  Metrics explorer page:

    Go to Metrics explorer

    If you use the search bar to find this page, then select the result whose subheading is Monitoring.

  2. In the toolbar of the query-builder pane, select the button whose name is either  MQL or  PromQL.
  3. Verify that MQL is selected in the Language toggle. The language toggle is in the same toolbar that lets you format your query.
  4. Enter the following query in the editor, and then click Run query:
    fetch gce_instance
    | metric 'workload.googleapis.com/vault.memory.usage'
    | every 1m
    

View dashboard

To view your Vault metrics, you must have a chart or dashboard configured. The Vault integration includes one or more dashboards for you. Any dashboards are automatically installed after you configure the integration and the Ops Agent has begun collecting metric data.

You can also view static previews of dashboards without installing the integration.

To view an installed dashboard, do the following:

  1. In the Google Cloud console, go to the  Dashboards page:

    Go to Dashboards

    If you use the search bar to find this page, then select the result whose subheading is Monitoring.

  2. Select the Dashboard List tab, and then choose the Integrations category.
  3. Click the name of the dashboard you want to view.

If you have configured an integration but the dashboard has not been installed, then check that the Ops Agent is running. When there is no metric data for a chart in the dashboard, installation of the dashboard fails. After the Ops Agent begins collecting metrics, the dashboard is installed for you.

To view a static preview of the dashboard, do the following:

  1. In the Google Cloud console, go to the  Integrations page:

    Go to Integrations

    If you use the search bar to find this page, then select the result whose subheading is Monitoring.

  2. Click the Compute Engine deployment-platform filter.
  3. Locate the entry for Vault and click View Details.
  4. Select the Dashboards tab to see a static preview. If the dashboard is installed, then you can navigate to it by clicking View dashboard.

For more information about dashboards in Cloud Monitoring, see Dashboards and charts.

For more information about using the Integrations page, see Manage integrations.

Install alerting policies

Alerting policies instruct Cloud Monitoring to notify you when specified conditions occur. The Vault integration includes one or more alerting policies for you to use. You can view and install these alerting policies from the Integrations page in Monitoring.

To view the descriptions of available alerting policies and install them, do the following:

  1. In the Google Cloud console, go to the  Integrations page:

    Go to Integrations

    If you use the search bar to find this page, then select the result whose subheading is Monitoring.

  2. Locate the entry for Vault and click View Details.
  3. Select the Alerts tab. This tab provides descriptions of available alerting policies and provides an interface for installing them.
  4. Install alerting policies. Alerting policies need to know where to send notifications that the alert has been triggered, so they require information from you for installation. To install alerting policies, do the following:
    1. From the list of available alerting policies, select those that you want to install.
    2. In the Configure notifications section, select one or more notification channels. You have the option to disable the use of notification channels, but if you do, then your alerting policies fire silently. You can check their status in Monitoring, but you receive no notifications.

      For more information about notification channels, see Manage notification channels.

    3. Click Create Policies.

For more information about alerting policies in Cloud Monitoring, see Introduction to alerting.

For more information about using the Integrations page, see Manage integrations.

What's next

For a walkthrough on how to use Ansible to install the Ops Agent, configure a third-party application, and install a sample dashboard, see the Install the Ops Agent to troubleshoot third-party applications video.