Authentication telemetry provides information on authentication-related
objects and operations.
Identity metrics
vault.identity.entity.alias.count
Metric type | Value | Description |
---|
gauge | aliases | The number of identity entities aliases (per authN mount) currently stored in OpenBao |
OpenBao updates the alias count every usage_guage_period
interval.
vault.identity.entity.count
Metric type | Value | Description |
---|
gauge | entities | The number of identity entity aliases (per namespace) currently stored in OpenBao |
vault.identity.entity.creation
Metric type | Value | Description |
---|
counter | number | The number of identity entities created per namespace |
vault.identity.num_entities
Metric type | Value | Description |
---|
gauge | entities | The total number of identity entities currently stored in OpenBao |
vault.identity.upsert_entity_txn
Metric type | Value | Description |
---|
summary | ms | Time required to upsert an entity to the in-memory database and, on the active node, persist the data to storage |
vault.identity.upsert_group_txn
Metric type | Value | Description |
---|
summary | ms | Time required to upsert group membership to the in-memory database and, on the active node, persist the data to storage |
Lease metrics
vault.expire.fetch-lease-times-by-token
Metric type | Value | Description |
---|
summary | ms | Time taken to retrieve lease times by token |
vault.expire.fetch-lease-times
Metric type | Value | Description |
---|
summary | ms | Time taken to retrieve lease times |
vault.expire.job_manager.queue_length
Metric type | Value | Description |
---|
summary | leases | The total number of pending revocation jobs by queue_id |
The queue ID in the queue_id
label indicates the mount accessor associated
with the expiring lease. For example, the secrets engine or authentication method.
vault.expire.job_manager.total_jobs
Metric type | Value | Description |
---|
summary | leases | The total number of pending revocation jobs |
vault.expire.lease_expiration
Metric type | Value | Description |
---|
counter | number | The number of lease expirations to date |
vault.expire.lease_expiration.error
Metric type | Value | Description |
---|
counter | number | The total number of lease expiration errors |
vault.expire.lease_expiration.time_in_queue
Metric type | Value | Description |
---|
summary | ms | Time taken for a lease to get to the front of the revoke queue |
vault.expire.leases.by_expiration
Metric type | Value | Description |
---|
gauge | leases | The number of leases set to expire, grouped by the configured interval |
The relevant time intervals are defined in the telemetry stanza for your
OpenBao server configuration with the following parameters:
lease_metrics_epsilon
: 1 hour (default)
num_lease_metrics_buckets
: 168 hours (default)
add_lease_metrics_namespace_labels
: false (default)
OpenBao reports the number of leases due to expire every lease_metrics_epsilon
interval in the time period current_time + num_lease_metrics_buckets
.
vault.expire.num_irrevocable_leases
Metric type | Value | Description |
---|
gauge | leases | The number of leases that cannot be automatically revoked |
vault.expire.num_leases
Metric type | Value | Description |
---|
gauge | leases | The total number of leases eligible for eventual expiry |
vault.expire.register-auth
Metric type | Value | Description |
---|
summary | ms | Time taken to register leases associated with new service tokens |
vault.expire.register
Metric type | Value | Description |
---|
summary | ms | Time taken for register operations |
vault.expire.renew-token
Metric type | Value | Description |
---|
summary | ms | Time taken to renew a token |
vault.expire.renew
Metric type | Value | Description |
---|
summary | ms | Time taken to renew a lease |
vault.expire.revoke-by-token
Metric type | Value | Description |
---|
summary | ms | Time taken to revoke all secrets issued with a given token |
vault.expire.revoke-force
Metric type | Value | Description |
---|
summary | ms | Time taken to forcibly revoke a token |
vault.expire.revoke-prefix
Metric type | Value | Description |
---|
summary | ms | Time taken to revoke all tokens on a prefix |
vault.expire.revoke
Metric type | Value | Description |
---|
summary | ms | Time taken to revoke a token |
Token metrics
vault.token.count
Metric type | Value | Description |
---|
gauge | number | Number of un-expired and un-revoked tokens available for use in the token store |
OpenBao updates the token count every 10 minutes organizes the result by cluster
and namespace.
vault.token.count.by_auth
Metric type | Value | Description |
---|
gauge | number | Total number of service tokens created by a particular auth method |
OpenBao organizes the token count by cluster, namespace, and authentication
method.
vault.token.count.by_policy
Metric type | Value | Description |
---|
gauge | number | Total number of service tokens with a particular policy attached |
OpenBao organizes the token count by cluster, namespace, and policy. Tokens with
more than one policy attached appear in the gauge for each associated policy.
vault.token.count.by_ttl
Metric type | Value | Description |
---|
gauge | number | Total number of service tokens assigned a particular time to live (TTL) |
OpenBao organizes the token count by cluster, namespace, and the TTL
range assigned at creation.
vault.token.create_root
Metric type | Value | Description |
---|
counter | number | Number of root tokens created |
The vault.token.create_root
counts the total number of root tokens created
over time, not the number of root tokens currently in use. As a result, the
value of vault.token.create_root
does not decrease when a root token is
revoked.
vault.token.create
Metric type | Value | Description |
---|
summary | ms | Time required to create a token in OpenBao |
vault.token.createAccessor
Metric type | Value | Description |
---|
summary | ms | Time required to create a token accessor in OpenBao |
vault.token.creation
Metric type | Value | Description |
---|
counter | number | Number of service or batch tokens created |
OpenBao organizes the creation count by cluster, namespace, authentication method,
mount point, time to live (TTL), and token type.
vault.token.lookup
Metric type | Value | Description |
---|
summary | ms | Time required to look up a token in OpenBao |
vault.token.revoke-tree
Metric type | Value | Description |
---|
summary | ms | Time required to fully revoke a token tree in OpenBao |
vault.token.revoke
Metric type | Value | Description |
---|
summary | ms | Time required to revoke a token in OpenBao |
vault.token.store
Metric type | Value | Description |
---|
summary | ms | Time required to store an updated token entry without writing to the secondary index |