Vault
Telemetry
If you enable metrics, the vault-kube-kms process exposes Prometheus-compatible
metrics on the /metrics endpoint. You can configure the endpoint using the
metrics and telemetry parameters
for the vault-kube-kms process.
Vault does not store Kubernetes key management metrics. You can only access
your Kubernetes metrics through the /metrics endpoint of the vault-kube-kms
process. Your Vault server does not have access to that information.
rpc_server_duration_milliseconds
| Metric type | Value | Description |
|---|---|---|
| histogram | milliseconds | Measures the duration of inbound gRPC requests handled by the vault-kube-kms process. |
The vault-kube-kms process emits this metric per gRPC method and status code.
Common labels:
le– Upper bound of the latency bucket (in milliseconds). The bucket includes all observations with a duration less than or equal to this value.rpc_service– gRPC service name (for example,v2.KeyManagementService)rpc_method– gRPC method name (for example,Encrypt,Decrypt,Status)rpc_grpc_status_code– gRPC status code for the response (0= OK; non-zero indicates an error)
Prometheus exports histograms as three related time series:
rpc_server_duration_milliseconds_bucket– Cumulative counts of calls whose duration fell within each bucket.rpc_server_duration_milliseconds_sum– Sum of observed durations across all calls (used to compute averages).rpc_server_duration_milliseconds_count– Total number of calls observed (how many times the RPC was handled).
Use rpc_server_duration_milliseconds_count to measure RPC volume, and
rpc_server_duration_milliseconds_bucket to compute latency percentiles.
vso_client_operations_total
| Metric type | Value | Description |
|---|---|---|
| counter | operations | Counts successful Vault client operations performed by the vault-kube-kms process. |
This metric tracks successful operations made to Vault as part of handling KMS requests (for example, logging in, reading configuration/state, renewing credentials, and performing cryptographic operations).
Common labels:
operation– Operation name (for example,login,read,renew,write)vault_connection– Vault connection identifier
vso_client_operations_errors_total
| Metric type | Value | Description |
|---|---|---|
| counter | errors | Counts failed Vault client operations performed by the vault-kube-kms process. |
Use this metric to alert on failures contacting Vault or performing Transit operations.
Common labels:
operation– Operation name (for example,login,read,renew,write)vault_connection– Vault connection identifier
vso_client_operations_time_seconds
| Metric type | Value | Description |
|---|---|---|
| histogram | seconds | Measures the duration of Vault client operations performed by the vault-kube-kms process. |
This metric helps identify latency introduced by Vault interactions (authentication, token renewal, reads, and writes/Transit operations).
Prometheus also emits the standard derived series for histograms:
vso_client_operations_time_seconds_bucketvso_client_operations_time_seconds_sumvso_client_operations_time_seconds_count
Common labels:
operation– Operation name (for example,login,read,renew,write)vault_connection– Vault connection identifier