“[Vault is a solution to] secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data”, as stated by HashiCorp’s website. In this article we’ll focus on how to monitor HashiCorp Vault.
HashiCorp Vault, first released in 2015, was originally designed to provide a simple way to store tokens, credentials and similar secrets in a secure manner. Furthermore, Vault integrates with many common systems to create and provide temporary credentials.
Vault reference architecture from HashiCorp website
HashiCorp Vault offers a solution to prevent pre-shared and reused secrets, since credentials are requested by the application on-the-fly. In the background Vault can create, manage, and eventually delete the credentials.
Vault is a central management component in many application architectures and an important installment for securing access to resources. As you can see in the reference architecture diagram above, HashiCorp Consul is also an important component when running Vault. We won’t discuss Consul in this article but Instana also monitors Consul.
What’s Important When Monitoring HashiCorp Vault?
Being a central service, monitoring Vault is essential. If Vault is performing poorly or throwing errors it will impact user experience. There are three important elements to monitor; configuration, performance, and health.
Configuring Vault is simple, however, keeping an eye on the deployed versions and (if used) multiple data stores is as important as the “sealed” status. When Vault is restarted, it enters a “sealed” state and is not able to process requests until it becomes available.
The performance of Vault has a direct impact on the performance of dependent services when they are waiting for requested credentials or certificates. Therefore, it is important to monitor creation, read, and especially failure counts.
Health metrics are important whether Vault is running standalone, or in HA (High Availability) mode. If the Vault service is not healthy, the dependent applications and services aren’t either.
How to Monitor HashiCorp Vault with Instana
By installing the Instana Agent and providing an access token, Instana automatically collects Vault metrics related to health, performance, and configuration in one second granularity.
That is everything that is required – less than 5 minutes of work!
Instana screenshot of Vault secrets monitoring
If Vault is running inside a Kubernetes or a similar environment, only one Instana Agent is necessary to monitor your Vault service, Kubernetes, and all your other containerized technologies.
Instana screenshot of Vault tokens and leader monitoring
When issues arise, Instana understands how services interact and provides sophisticated insights into the incident. Instana correlates related services and their potential problems together to deliver an overall understanding of the degradation to help you get things functioning properly as fast as possible.
Instana screenshot of Vault audit log and barrier operations monitoring
Instana also understands sudden increases or drops on performance metrics and automatically alerts in case an anomaly is detected, which may be caused by excessive service restarts, system intrusion, or other problems.
Getting Started with HashiCorp Vault Monitoring
Just as with every other technology monitored by Instana, HashiCorp Vault monitoring includes automatic and continuous discovery, metrics monitoring, best practice health signatures, and anomaly detection.
Start your Vault performance monitoring journey by signing up for a free 14 day trial of Instana now. You’ll have incredible visibility and understanding of your services in minutes.