Hashicorp Vault metrics

The OpenTelemetry Collector, when configured with a Prometheus receiver, provides an integration with Hashicorp Vault to scrape Prometheus metrics. The Collector uses the Prometheus Receiver to fetch metrics from the configured path in the Hashicorp Vault configuration file. From there, the metrics are processed and exported to Cloud Observability.

To complete the integration, you will:

• Configure Hashicorp Vault to use the Prometheus exporter.
• Configure the Collector to use the Hashicorp Vault endpoint as a scrape target for the Prometheus receiver.
• Enable the integration by adding it to a pipeline.

Prerequisites

You’ve configured the Collector to export metric data to Cloud Observability.

Configure Hashicorp Vault reporting

You need to configure Hashicorp Vault to enable Prometheus and then define Prometheus ACL policy.

1. To enable Prometheus metrics in Hashicorp Vault, you need to set prometheus_retention_time to a non-zero value.
   In the /vault/config/server.hcl file, add the following:

   1
   2
   3
   4
   5
   6
    ...
   
    telemetry {
      disable_hostname = true
      prometheus_retention_time = "12h"
    }
   

2. Define the Prometheus ACL policy.
   Prometheus requires a Vault token with sufficient permissions to successfully consume metrics from the endpoint.
   In the /vault/config/policies/prometheus-metrics.hcl file, add the following:

   1
   2
   3
   4
   5
    ...
   
    path "/sys/metrics" {
      capabilities = ["read"]
    }
   

For more details about using Hashicorp Vault with the Prometheus exporter, see the official Hashicorp Vault documentation.

Configure the Collector receiver

In the Collector configuration file, configure the Prometheus receiver to use the Hashicorp Vault Prometheus endpoint as a scrape target.

1
2
3
4
5
6
7
8
9
10
11
12
13
receivers:
  prometheus:
    config:
      scrape_configs:
        - job_name: 'vault'
          scrape_inteval: 10s
          scrape_timeout: 20s
          metrics_path: '/v1/sys/metrics'
          params:
            format: ['prometheus']
          static_configs:
            - targets: ['localhost:8280]

The OpenTelemetry repo’s README provides additional details about Prometheus receiver configuration.

More details about the Prometheus scrape configuration can be found here.

Enable the Collector receiver

Once the Hashicorp Vault receiver is configured, enable it by adding it to one or more pipelines as described in the Collector configuration documentation.

Validate metrics are reporting to Cloud Observability

You can validate that metrics are reporting to Cloud Observability on the Metrics details page in Project settings.

1. In Cloud Observability, click Project settings > Metric details.

2. Search for Hashicorp Vault metric names.

   See the Hashicorp Vault for a complete list of emitted metrics.

3. If needed, click on the metric to edit the description and how the units are displayed in Cloud Observability.

Create a dashboard for the metrics

Use the Cloud Observability Terraform Provider to create a dashboard for the metrics.

Additional resources

For a more complete example that’s ready to run, see the Hashicorp Vault integration in Cloud Observability OpenTelemetry Examples.

See also

Create and manage dashboards

Create alerts

Updated Dec 1, 2022