Configure HCP Vault metrics streaming to Amazon CloudWatch

This tutorial covers configuration of HCP Vault metrics streaming to and data visualization in your existing Amazon CloudWatch environment. For details on metrics scope and interpretation, see the HCP Vault Metrics Guidance.

Prerequisites

To configure metrics streaming to Amazon CloudWatch, you will need to have:

• Access to AWS with permission to create IAM policies and users
• An account with Admin or Contributor role assigned in HCP
• A production grade HCP Vault cluster

Configure AWS

To configure HCP Vault metric streaming to Amazon CloudWatch, you must provide an access and secret key for an IAM user assigned permission to CloudWatch.

Create IAM policy

1. Log in to the AWS Management Console and navigate to the IAM Dashboard.

2. Click Policies, then click Create policy.

3. Click the JSON tab and paste the IAM policy into the Policy editor textbox overwriting any sample text.

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "HCPMetricStreaming",
               "Effect": "Allow",
               "Action": [
                   "cloudwatch:ListMetrics",
                   "cloudwatch:ListMetricStreams",
                   "cloudwatch:ListTagsForResource",
                   "cloudwatch:PutMetricData",
                   "cloudwatch:PutMetricStream",
                   "cloudwatch:TagResource"
               ],
               "Resource": "*"
           }
       ]
   }
   

   Copy

4. Click Next.

5. Enter hcp-vault-metric-streaming in the Policy name textbox and click Create policy.

Create IAM user

1. From the IAM Dashboard, click Users.

2. Click Add users.

3. Enter hcp-vault-metric-streaming in the User name textbox and click Next.

4. Click the Attach policies directly radio button.

5. Search for the hcp-vault-metric-streaming policy, click the checkbox, and click Next.

   Note

   This tutorial has you attach the policy directly to the IAM user for ease of completing the tutorial.

   The recommended practice is to create an IAM group, attach the policy to the group, and add the user to the group.

6. Click Create user.

7. Click the hcp-vault-metric-streaming user in the Users list.

8. Click the Security credentials tab and click Create access key.

9. Select Application running outside AWS and click Next.

10. Click Create access key.

11. Securely store the Access key and Secret access key values - you will need this to configure metric streaming in the HCP Portal.

Enable metrics streaming

1. From the HCP Vault cluster Overview page, select the Metrics view.

2. If you have not configured metrics streaming before, click Enable streaming.

3. From the Stream Vault metrics view, select Amazon CloudWatch as the provider and click Next.

4. Under Add provider details, enter the Access key ID and Secret access key created in the Create IAM user section, then select the Region that matches your existing CloudWatch environment.

5. Click Save.

   Note

   At this time, HCP Vault only supports metrics streaming to one metrics endpoint at a time.

Edit the metrics streaming configuration

To edit a metrics streaming integration, perform the following steps.

1. From the Metrics page, click on the Manage drop-down, then Edit configuration.

2. Edit the configuration, then click Save.

Disable metrics streaming

To disable a metrics streaming integration, from the Metrics page, click on the Manage drop-down, then Disable streaming.