Skip to main content

Authentication telemetry

Authentication telemetry provides information on authentication-related objects and operations.

Identity metrics

vault.identity.entity.alias.count

Metric typeValueDescription
gaugealiasesThe number of identity entities aliases (per authN mount) currently stored in OpenBao

OpenBao updates the alias count every usage_guage_period interval.

vault.identity.entity.count

Metric typeValueDescription
gaugeentitiesThe number of identity entity aliases (per namespace) currently stored in OpenBao

vault.identity.entity.creation

Metric typeValueDescription
counternumberThe number of identity entities created per namespace

vault.identity.num_entities

Metric typeValueDescription
gaugeentitiesThe total number of identity entities currently stored in OpenBao

vault.identity.upsert_entity_txn

Metric typeValueDescription
summarymsTime required to upsert an entity to the in-memory database and, on the active node, persist the data to storage

vault.identity.upsert_group_txn

Metric typeValueDescription
summarymsTime required to upsert group membership to the in-memory database and, on the active node, persist the data to storage

Lease metrics

vault.expire.fetch-lease-times-by-token

Metric typeValueDescription
summarymsTime taken to retrieve lease times by token

vault.expire.fetch-lease-times

Metric typeValueDescription
summarymsTime taken to retrieve lease times

vault.expire.job_manager.queue_length

Metric typeValueDescription
summaryleasesThe total number of pending revocation jobs by queue_id

The queue ID in the queue_id label indicates the mount accessor associated with the expiring lease. For example, the secrets engine or authentication method.

vault.expire.job_manager.total_jobs

Metric typeValueDescription
summaryleasesThe total number of pending revocation jobs

vault.expire.lease_expiration

Metric typeValueDescription
counternumberThe number of lease expirations to date

vault.expire.lease_expiration.error

Metric typeValueDescription
counternumberThe total number of lease expiration errors

vault.expire.lease_expiration.time_in_queue

Metric typeValueDescription
summarymsTime taken for a lease to get to the front of the revoke queue

vault.expire.leases.by_expiration

Metric typeValueDescription
gaugeleasesThe number of leases set to expire, grouped by the configured interval

The relevant time intervals are defined in the telemetry stanza for your OpenBao server configuration with the following parameters:

  • lease_metrics_epsilon: 1 hour (default)
  • num_lease_metrics_buckets: 168 hours (default)
  • add_lease_metrics_namespace_labels: false (default)

OpenBao reports the number of leases due to expire every lease_metrics_epsilon interval in the time period current_time + num_lease_metrics_buckets.

vault.expire.num_irrevocable_leases

Metric typeValueDescription
gaugeleasesThe number of leases that cannot be automatically revoked

vault.expire.num_leases

Metric typeValueDescription
gaugeleasesThe total number of leases eligible for eventual expiry

vault.expire.register-auth

Metric typeValueDescription
summarymsTime taken to register leases associated with new service tokens

vault.expire.register

Metric typeValueDescription
summarymsTime taken for register operations

vault.expire.renew-token

Metric typeValueDescription
summarymsTime taken to renew a token

vault.expire.renew

Metric typeValueDescription
summarymsTime taken to renew a lease

vault.expire.revoke-by-token

Metric typeValueDescription
summarymsTime taken to revoke all secrets issued with a given token

vault.expire.revoke-force

Metric typeValueDescription
summarymsTime taken to forcibly revoke a token

vault.expire.revoke-prefix

Metric typeValueDescription
summarymsTime taken to revoke all tokens on a prefix

vault.expire.revoke

Metric typeValueDescription
summarymsTime taken to revoke a token

Token metrics

vault.token.count

Metric typeValueDescription
gaugenumberNumber of un-expired and un-revoked tokens available for use in the token store

OpenBao updates the token count every 10 minutes organizes the result by cluster and namespace.

vault.token.count.by_auth

Metric typeValueDescription
gaugenumberTotal number of service tokens created by a particular auth method

OpenBao organizes the token count by cluster, namespace, and authentication method.

vault.token.count.by_policy

Metric typeValueDescription
gaugenumberTotal number of service tokens with a particular policy attached

OpenBao organizes the token count by cluster, namespace, and policy. Tokens with more than one policy attached appear in the gauge for each associated policy.

vault.token.count.by_ttl

Metric typeValueDescription
gaugenumberTotal number of service tokens assigned a particular time to live (TTL)

OpenBao organizes the token count by cluster, namespace, and the TTL range assigned at creation.

vault.token.create_root

Metric typeValueDescription
counternumberNumber of root tokens created

The vault.token.create_root counts the total number of root tokens created over time, not the number of root tokens currently in use. As a result, the value of vault.token.create_root does not decrease when a root token is revoked.

vault.token.create

Metric typeValueDescription
summarymsTime required to create a token in OpenBao

vault.token.createAccessor

Metric typeValueDescription
summarymsTime required to create a token accessor in OpenBao

vault.token.creation

Metric typeValueDescription
counternumberNumber of service or batch tokens created

OpenBao organizes the creation count by cluster, namespace, authentication method, mount point, time to live (TTL), and token type.

vault.token.lookup

Metric typeValueDescription
summarymsTime required to look up a token in OpenBao

vault.token.revoke-tree

Metric typeValueDescription
summarymsTime required to fully revoke a token tree in OpenBao

vault.token.revoke

Metric typeValueDescription
summarymsTime required to revoke a token in OpenBao

vault.token.store

Metric typeValueDescription
summarymsTime required to store an updated token entry without writing to the secondary index