Hashicorp Vault

Stay organized with collections Save and categorize content based on your preferences.

Vault is an identity-based secrets and encryption management system. This integration collects Vault's audit logs. The integration also collects token, memory, and storage metrics.

For more information about Vault, see the Hashicorp Vault documentation.

Prerequisites

To collect Vault telemetry, you must install the Ops Agent:

  • For metrics, install version 2.18.2 or higher.
  • For logs, install version 2.18.1 or higher.

This integration supports Vault version 1.6+.

Configure your Vault instance

To collect telemetry from your Vault instance, you must set the prometheus_retention_time field to a non-zero value in your HCL or JSON Vault configuration file.

Full configuration options can be found at https://www.vaultproject.io/docs/configuration
telemetry {
  prometheus_retention_time = "10m"
  disable_hostname = false
}

Additionally, a root user is required to enable audit-log collection and to create a prometheus-metrics ACL policy. A root token is used to add a policy that has read capabilities to the /sys/metrics endpoint. This policy is used to create a Vault token with sufficient permission to collect Vault metrics.

If you are initializing Vault for the first time, then you can use the following script to generate a root token. Otherwise, see Generate Root Tokens Using Unseal Keys for information about generating a root token.

export VAULT_ADDR=http://localhost:8200
# Create simple Vault initialization with 1 key share and a key threshold of 1.
vault operator init -key-shares=1 -key-threshold=1 | head -n3 | cat > .vault-init
VAULT_KEY=$(grep 'Unseal Key 1'  .vault-init | awk '{print $NF}')
VAULT_TOKEN=$(grep 'Initial Root Token:' .vault-init | awk '{print $NF}')
export VAULT_TOKEN
vault operator unseal $VAULT_KEY

# Enable audit logs.
vault audit enable file file_path=/var/log/vault_audit.log

# Create Prometheus ACL policy to access metrics endpoint.
vault policy write prometheus-metrics - << EOF
path "/sys/metrics" {
  capabilities = ["read"]
}
EOF

# Create an example token with the prometheus-metrics policy to access Vault metrics.
# This token is used as `$VAULT_TOKEN` in your Ops Agent configuration for Vault.
vault token create -field=token -policy prometheus-metrics > prometheus-token

Configure the Ops Agent for Vault

Following the guide for Configuring the Ops Agent, add the required elements to collect telemetry from Vault instances, and restart the agent.

Example configuration

The following command creates the configuration to collect and ingest telemetry for Vault and restarts the Ops Agent.

# Configures Ops Agent to collect telemetry from the app and restart Ops Agent.

set -e

# Create a back up of the existing file so existing configurations are not lost.
sudo cp /etc/google-cloud-ops-agent/config.yaml /etc/google-cloud-ops-agent/config.yaml.bak

# Configure the Ops Agent.
VAULT_TOKEN=$(grep 'Initial Root Token:' init.out | awk '{print $4}')


sudo tee /etc/google-cloud-ops-agent/config.yaml > /dev/null << EOF
metrics:
  receivers:
    vault:
      type: vault
      token: $VAULT_TOKEN
      endpoint: 127.0.0.1:8200
  service:
    pipelines:
      vault:
        receivers:
          - vault
logging:
  receivers:
    vault_audit:
      type: vault_audit
      include_paths: [/var/log/vault_audit.log]
  service:
    pipelines:
      vault:
        receivers:
          - vault_audit
EOF

sudo service google-cloud-ops-agent restart

Configure logs collection

To ingest logs from Vault, you must create receivers for the logs that Vault produces and then create a pipeline for the new receivers.

To configure a receiver for your vault_audit logs, specify the following fields:

Field Default Description
exclude_paths A list of filesystem path patterns to exclude from the set matched by include_paths.
include_paths A list of filesystem paths to read by tailing each file. A wild card (*) can be used in the paths.
record_log_file_path false If set to true, then the path to the specific file from which the log record was obtained appears in the output log entry as the value of the agent.googleapis.com/log_file_path label. When using a wildcard, only the path of the file from which the record was obtained is recorded.
type The value must be vault_audit.
wildcard_refresh_interval 60s The interval at which wildcard file paths in include_paths are refreshed. Given as a time duration, for example 30s or 2m. This property might be useful under high logging throughputs where log files are rotated faster than the default interval.

What is logged

The logName is derived from the receiver IDs specified in the configuration. Detailed fields inside the LogEntry are as follows.

The vault_audit logs contain the following fields in the LogEntry:

Field Type Description
jsonPayload.auth struct
jsonPayload.auth.accessor string This is an HMAC of the client token accessor.
jsonPayload.auth.client_token string This is an HMAC of the client's token ID.
jsonPayload.auth.display_name string This is the display name set by the auth method role or explicitly at secret creation time.
jsonPayload.auth.entity_id string This is a token entity identifier.
jsonPayload.auth.metadata object This will contain a list of metadata key/value pairs associated with the client_token.
jsonPayload.auth.policies object This will contain a list of policies associated with the client_token.
jsonPayload.auth.token_type string
jsonPayload.error string If an error occurred with the request, the error message is included in this field's value.
jsonPayload.request struct
jsonPayload.request.client_token string This is an HMAC of the client's token ID.
jsonPayload.request.client_token_accessor string This is an HMAC of the client token accessor.
jsonPayload.request.data object The data object will contain secret data in key/value pairs.
jsonPayload.request.headers object Additional HTTP headers specified by the client as part of the request.
jsonPayload.request.id string This is the unique request identifier.
jsonPayload.request.namespace.id string
jsonPayload.request.operation string This is the type of operation which corresponds to path capabilities and is expected to be one of: create, read, update, delete, or list.
jsonPayload.request.path string The requested Vault path for operation.
jsonPayload.request.policy_override boolean This is true when a soft-mandatory policy override was requested.
jsonPayload.request.remote_address string The IP address of the client making the request.
jsonPayload.request.wrap_ttl string If the token is wrapped, this displays configured wrapped TTL value as numeric string.
jsonPayload.response struct
jsonPayload.response.data.accessor string This is an HMAC of the client token accessor.
jsonPayload.response.data.creation_time string RFC 3339 format timestamp of the token's creation.
jsonPayload.response.data.creation_ttl string Token creation TTL in seconds.
jsonPayload.response.data.display_name string This is the display name set by the auth method role or explicitly at secret creation time.
jsonPayload.response.data.entity_id string This is a token entity identifier.
jsonPayload.response.data.expire_time string RFC 3339 format timestamp representing the moment this token will expire.
jsonPayload.response.data.explicit_max_ttl string Explicit token maximum TTL value as seconds ("0" when not set).
jsonPayload.response.data.id string This is the unique response identifier.
jsonPayload.response.data.issue_time string RFC 3339 format timestamp.
jsonPayload.response.data.num_uses number If the token is limited to a number of uses, that value will be represented here.
jsonPayload.response.data.orphan boolean Boolean value representing whether the token is an orphan.
jsonPayload.response.data.path string The requested Vault path for operation.
jsonPayload.response.data.policies object This will contain a list of policies associated with the client_token.
jsonPayload.response.data.renewable boolean Boolean value representing whether the token is an orphan.
jsonPayload.type string The type of audit log.
severity string
timestamp string (Timestamp) Time the request was received

Configure metrics collection

To ingest metrics from Vault, you must create receivers for the metrics that Vault produces and then create a pipeline for the new receivers.

To configure a receiver for your vault metrics, specify the following fields:

Field Default Description
ca_file Path to the CA certificate. As a client, this verifies the server certificate. If empty, the receiver uses the system root CA.
cert_file Path to the TLS certificate to use for mTLS-required connections.
collection_interval 60s A time.Duration value, such as 30s or 5m.
endpoint localhost:8200 The 'hostname:port' used by vault
insecure true Sets whether or not to use a secure TLS connection. If set to false, then TLS is enabled.
insecure_skip_verify false Sets whether or not to skip verifying the certificate. If insecure is set to true, then the 'insecure_skip_verify` value is not used.
key_file Path to the TLS key to use for mTLS-required connections.
metrics_path /v1/sys/metrics The path for metrics collection.
token localhost:8200 Token used for authentication.
type This value must be vault.

What is monitored

The following table provides the list of metrics that the Ops Agent collects from the Vault instance.

Metric type 
Kind, Type
Monitored resources
Labels
workload.googleapis.com/vault.audit.request.failed
CUMULATIVEINT64
gce_instance
 
workload.googleapis.com/vault.audit.response.failed
CUMULATIVEINT64
gce_instance
 
workload.googleapis.com/vault.core.leader.duration
GAUGEDOUBLE
gce_instance
 
workload.googleapis.com/vault.core.request.count
GAUGEINT64
gce_instance
cluster
workload.googleapis.com/vault.memory.usage
GAUGEDOUBLE
gce_instance
 
workload.googleapis.com/vault.storage.operation.delete.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.delete.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.storage.operation.get.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.get.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.storage.operation.list.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.list.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.storage.operation.put.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.put.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.token.count
GAUGEINT64
gce_instance
namespace
cluster
workload.googleapis.com/vault.token.lease.count
GAUGEINT64
gce_instance
 
workload.googleapis.com/vault.token.renew.time
GAUGEINT64
gce_instance
 
workload.googleapis.com/vault.token.revoke.time
GAUGEINT64
gce_instance
 

Sample dashboard

To view your Vault metrics, you must have a chart or dashboard configured. Cloud Monitoring provides a library of sample dashboards for integrations, which contain preconfigured charts. For information about installing these dashboards, see Installing sample dashboards.

Verify the configuration

This section describes how to verify that you correctly configured the Vault receiver. It might take one or two minutes for the Ops Agent to begin collecting telemetry.

To verify that the logs are ingested, go to the Logs Explorer and run the following query to view the Vault logs:

resource.type="gce_instance"
log_id("vault_audit")

To verify that the metrics are ingested, go to Metrics Explorer and run the following query in the MQL tab:

fetch gce_instance
| metric 'workload.googleapis.com/vault.memory.usage'
| every 1m

What's next

For a walkthrough on how to use Ansible to install the Ops Agent, configure a third-party application, and install a sample dashboard, see the Install the Ops Agent to troubleshoot third-party applications video.