Authentication telemetry

Authentication telemetry provides information on authentication-related objects and operations.

Identity metrics

vault.identity.entity.active.monthly

Metric type	Value	Description
gauge	entities	The number of distinct entities (per namespace) that created a token during the past month

Vault reports vault.identity.entity.active.monthly at the start of each month when client counting is enabled.

vault.identity.entity.active.partial_month

Metric type	Value	Description
gauge	entities	The number of distinct entities (per namespace) that created a token during the current month

Vault reports vault.identity.entity.active.partial_month periodically during the month when client counting is enabled.

vault.identity.entity.active.reporting_period

Metric type	Value	Description
gauge	entities	The number of distinct entities (per namespace) that created a token during the configured reporting period

Vault reports vault.identity.entity.active.reporting_period at the start of each month when client counting is enabled.

vault.identity.entity.alias.count

Metric type	Value	Description
gauge	aliases	The number of identity entities aliases (per authN mount) currently stored in Vault

Vault updates the alias count every usage_gauge_period interval.

vault.identity.entity.count

Metric type	Value	Description
gauge	entities	The number of identity entity aliases (per namespace) currently stored in Vault

vault.identity.entity.creation

Metric type	Value	Description
counter	number	The number of identity entities created per namespace

vault.identity.num_entities

Metric type	Value	Description
gauge	entities	The total number of identity entities currently stored in Vault

vault.identity.upsert_entity_txn

Metric type	Value	Description
summary	ms	Time required to upsert an entity to the in-memory database and, on the active node, persist the data to storage

vault.identity.upsert_group_txn

Metric type	Value	Description
summary	ms	Time required to upsert group membership to the in-memory database and, on the active node, persist the data to storage

Lease metrics

vault.expire.fetch-lease-times-by-token

Metric type	Value	Description
summary	ms	Time taken to retrieve lease times by token

vault.expire.fetch-lease-times

Metric type	Value	Description
summary	ms	Time taken to retrieve lease times

vault.expire.job_manager.queue_length

Metric type	Value	Description
summary	leases	The total number of pending revocation jobs by `queue_id`

The queue ID in the queue_id label indicates the mount accessor associated with the expiring lease. For example, the secrets engine or authentication method.

vault.expire.job_manager.total_jobs

Metric type	Value	Description
summary	leases	The total number of pending revocation jobs

vault.expire.lease_expiration

Metric type	Value	Description
counter	number	The number of lease expirations to date

vault.expire.lease_expiration.error

Metric type	Value	Description
counter	number	The total number of lease expiration errors

vault.expire.lease_expiration.time_in_queue

Metric type	Value	Description
summary	ms	Time taken for a lease to get to the front of the revoke queue

vault.expire.leases.by_expiration

Metric type	Value	Description
gauge	leases	The number of leases set to expire, grouped by the configured interval

The relevant time intervals are defined in the telemetry stanza for your Vault server configuration with the following parameters:

lease_metrics_epsilon: 1 hour (default)
num_lease_metrics_buckets: 168 hours (default)
add_lease_metrics_namespace_labels: false (default)

Vault reports the number of leases due to expire every lease_metrics_epsilon interval in the time period current_time + num_lease_metrics_buckets.

vault.expire.num_irrevocable_leases

Metric type	Value	Description
gauge	leases	The number of leases that cannot be automatically revoked

vault.expire.num_leases

Metric type	Value	Description
gauge	leases	The total number of leases eligible for eventual expiry

vault.expire.register-auth

Metric type	Value	Description
summary	ms	Time taken to register leases associated with new service tokens

vault.expire.register

Metric type	Value	Description
summary	ms	Time taken for register operations

vault.expire.renew-token

Metric type	Value	Description
summary	ms	Time taken to renew a token

vault.expire.renew

Metric type	Value	Description
summary	ms	Time taken to renew a lease

vault.expire.revoke-by-token

Metric type	Value	Description
summary	ms	Time taken to revoke all secrets issued with a given token

vault.expire.revoke-force

Metric type	Value	Description
summary	ms	Time taken to forcibly revoke a token

vault.expire.revoke-prefix

Metric type	Value	Description
summary	ms	Time taken to revoke all tokens on a prefix

vault.expire.revoke

Metric type	Value	Description
summary	ms	Time taken to revoke a token

Token metrics

vault.token.count

Metric type	Value	Description
gauge	number	Number of un-expired and un-revoked tokens available for use in the token store

Vault updates the token count every 10 minutes organizes the result by cluster and namespace.

vault.token.count.by_auth

Metric type	Value	Description
gauge	number	Total number of service tokens created by a particular auth method

Vault organizes the token count by cluster, namespace, and authentication method.

vault.token.count.by_policy

Metric type	Value	Description
gauge	number	Total number of service tokens with a particular policy attached

Vault organizes the token count by cluster, namespace, and policy. Tokens with more than one policy attached appear in the gauge for each associated policy.

vault.token.count.by_ttl

Metric type	Value	Description
gauge	number	Total number of service tokens assigned a particular time to live (TTL)

Vault organizes the token count by cluster, namespace, and the TTL range assigned at creation.

vault.token.create_root

Metric type	Value	Description
counter	number	Number of root tokens created

The vault.token.create_root counts the total number of root tokens created over time, not the number of root tokens currently in use. As a result, the value of vault.token.create_root does not decrease when a root token is revoked.

vault.token.create

Metric type	Value	Description
summary	ms	Time required to create a token in Vault

vault.token.createAccessor

Metric type	Value	Description
summary	ms	Time required to create a token accessor in Vault

vault.token.creation

Metric type	Value	Description
counter	number	Number of service or batch tokens created

Vault organizes the creation count by cluster, namespace, authentication method, mount point, time to live (TTL), and token type.

vault.token.lookup

Metric type	Value	Description
summary	ms	Time required to look up a token in Vault

vault.token.revoke-tree

Metric type	Value	Description
summary	ms	Time required to fully revoke a token tree in Vault

vault.token.revoke

Metric type	Value	Description
summary	ms	Time required to revoke a token in Vault

vault.token.store

Metric type	Value	Description
summary	ms	Time required to store an updated token entry without writing to the secondary index