# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. app_url: "https://www.vaultproject.io/" short_name: Vault long_name: Hashicorp Vault logo_path: /stackdriver/images/integrations/vault.png # supplied by google technical writer description: |- Vault is an identity-based secrets and encryption management system. This integration collects Vault's audit logs. The integration also collects token, memory, and storage metrics. configure_integration: |- To collect telemetry from your Vault instance, you must set the `prometheus_retention_time` field to a non-zero value in your HCL or JSON Vault configuration file. <pre> Full configuration options can be found at https://www.vaultproject.io/docs/configuration telemetry { prometheus_retention_time = "10m" disable_hostname = false } </pre> Additionally, a root user is required to enable audit-log collection and to create a prometheus-metrics ACL policy. A root token is used to add a policy that has read capabilities to the `/sys/metrics` endpoint. This policy is used to create a Vault token with sufficient permission to collect Vault metrics. If you are initializing Vault for the first time, then you can use the following script to generate a root token. Otherwise, see [Generate Root Tokens Using Unseal Keys](https://developer.hashicorp.com/vault/tutorials/operations/generate-root) for information about generating a root token. ```bash export VAULT_ADDR=http://localhost:8200 # Create simple Vault initialization with 1 key share and a key threshold of 1. vault operator init -key-shares=1 -key-threshold=1 | head -n3 | cat > .vault-init VAULT_KEY=$(grep 'Unseal Key 1' .vault-init | awk '{print $NF}') VAULT_TOKEN=$(grep 'Initial Root Token:' .vault-init | awk '{print $NF}') export VAULT_TOKEN vault operator unseal $VAULT_KEY # Enable audit logs. vault audit enable file file_path=/var/log/vault_audit.log # Create Prometheus ACL policy to access metrics endpoint. vault policy write prometheus-metrics - << EOF path "/sys/metrics" { capabilities = ["read"] } EOF # Create an example token with the prometheus-metrics policy to access Vault metrics. # This token is used as `$VAULT_TOKEN` in your Ops Agent configuration for Vault. vault token create -field=token -policy prometheus-metrics > prometheus-token ``` supported_operating_systems: linux platforms_to_skip: # Vault is not supported on various distros. - ubuntu-os-cloud:ubuntu-2410-amd64 # Possible support in the future - ubuntu-os-cloud:ubuntu-minimal-2410-amd64 # Possible support in the future - ubuntu-os-cloud:ubuntu-2410-arm64 # Possible support in the future - ubuntu-os-cloud:ubuntu-minimal-2410-arm64 # Possible support in the future supported_app_version: ["1.6+"] expected_metrics: - type: workload.googleapis.com/vault.core.request.count kind: GAUGE monitored_resources: [gce_instance] value_type: INT64 labels: - name: cluster value_regex: .* - type: workload.googleapis.com/vault.core.leader.duration optional: true kind: GAUGE monitored_resources: [gce_instance] value_type: DOUBLE - type: workload.googleapis.com/vault.token.lease.count optional: true kind: GAUGE monitored_resources: [gce_instance] value_type: INT64 - type: workload.googleapis.com/vault.token.count optional: true kind: GAUGE monitored_resources: [gce_instance] value_type: INT64 labels: - name: namespace value_regex: .* - name: cluster value_regex: .* - type: workload.googleapis.com/vault.token.revoke.time optional: true kind: GAUGE monitored_resources: [gce_instance] value_type: INT64 - type: workload.googleapis.com/vault.token.renew.time optional: true kind: GAUGE monitored_resources: [gce_instance] value_type: INT64 - type: workload.googleapis.com/vault.audit.request.failed kind: CUMULATIVE monitored_resources: [gce_instance] value_type: INT64 - type: workload.googleapis.com/vault.audit.response.failed kind: CUMULATIVE monitored_resources: [gce_instance] value_type: INT64 - type: workload.googleapis.com/vault.memory.usage representative: true kind: GAUGE monitored_resources: [gce_instance] value_type: DOUBLE - type: workload.googleapis.com/vault.storage.operation.put.time optional: true kind: CUMULATIVE monitored_resources: [gce_instance] value_type: DOUBLE labels: - name: storage value_regex: .* - type: workload.googleapis.com/vault.storage.operation.delete.time optional: true kind: CUMULATIVE monitored_resources: [gce_instance] value_type: DOUBLE labels: - name: storage value_regex: .* - type: workload.googleapis.com/vault.storage.operation.list.time optional: true kind: CUMULATIVE monitored_resources: [gce_instance] value_type: DOUBLE labels: - name: storage value_regex: .* - type: workload.googleapis.com/vault.storage.operation.get.time optional: true kind: CUMULATIVE monitored_resources: [gce_instance] value_type: DOUBLE labels: - name: storage value_regex: .* - type: workload.googleapis.com/vault.storage.operation.put.count optional: true kind: CUMULATIVE monitored_resources: [gce_instance] value_type: INT64 labels: - name: storage value_regex: .* - type: workload.googleapis.com/vault.storage.operation.delete.count optional: true kind: CUMULATIVE monitored_resources: [gce_instance] value_type: INT64 labels: - name: storage value_regex: .* - type: workload.googleapis.com/vault.storage.operation.list.count optional: true kind: CUMULATIVE monitored_resources: [gce_instance] value_type: INT64 labels: - name: storage value_regex: .* - type: workload.googleapis.com/vault.storage.operation.get.count optional: true kind: CUMULATIVE monitored_resources: [gce_instance] value_type: INT64 labels: - name: storage value_regex: .* expected_logs: - log_name: vault_audit fields: - name: jsonPayload.auth type: struct description: '' optional: true - name: jsonPayload.request type: struct description: '' - name: jsonPayload.response type: struct description: '' optional: true - name: jsonPayload.auth.token_type value_regex: default type: string description: '' optional: true - name: jsonPayload.request.namespace.id value_regex: root type: string description: '' optional: true - name: jsonPayload.request.path value_regex: sys\/audit\/test type: string description: The requested Vault path for operation. optional: true - name: jsonPayload.request.operation value_regex: update type: string description: "This is the type of operation which corresponds to path capabilities and is expected to be one of: `create`, `read`, `update`, `delete`, or `list`." optional: true - name: jsonPayload.type value_regex: request type: string description: The type of audit log. optional: true - name: jsonPayload.error type: string description: If an error occurred with the request, the error message is included in this field's value. optional: true - name: jsonPayload.auth.client_token type: string description: This is an HMAC of the client's token ID. optional: true - name: jsonPayload.auth.accessor type: string description: This is an HMAC of the client token accessor. optional: true - name: jsonPayload.auth.display_name type: string description: This is the display name set by the auth method role or explicitly at secret creation time. optional: true - name: jsonPayload.auth.policies type: object description: This will contain a list of policies associated with the client_token. optional: true - name: jsonPayload.auth.metadata type: object description: This will contain a list of metadata key/value pairs associated with the client_token. optional: true - name: jsonPayload.auth.entity_id type: string description: This is a token entity identifier. optional: true - name: jsonPayload.request.id type: string description: This is the unique request identifier. optional: true - name: jsonPayload.request.client_token type: string description: This is an HMAC of the client's token ID. optional: true - name: jsonPayload.request.client_token_accessor type: string description: This is an HMAC of the client token accessor. optional: true - name: jsonPayload.request.data type: object description: The data object will contain secret data in key/value pairs. optional: true - name: jsonPayload.request.policy_override type: boolean description: This is `true` when a soft-mandatory policy override was requested. optional: true - name: jsonPayload.request.remote_address type: string description: The IP address of the client making the request. optional: true - name: jsonPayload.request.wrap_ttl type: string description: If the token is wrapped, this displays configured wrapped TTL value as numeric string. optional: true - name: jsonPayload.request.headers type: object description: Additional HTTP headers specified by the client as part of the request. optional: true - name: jsonPayload.response.data.creation_time type: string description: RFC 3339 format timestamp of the token's creation. optional: true - name: jsonPayload.response.data.creation_ttl type: string description: Token creation TTL in seconds. optional: true - name: jsonPayload.response.data.expire_time type: string description: RFC 3339 format timestamp representing the moment this token will expire. optional: true - name: jsonPayload.response.data.explicit_max_ttl type: string description: Explicit token maximum TTL value as seconds ("0" when not set). optional: true - name: jsonPayload.response.data.issue_time type: string description: RFC 3339 format timestamp. optional: true - name: jsonPayload.response.data.num_uses type: number description: If the token is limited to a number of uses, that value will be represented here. optional: true - name: jsonPayload.response.data.orphan type: boolean description: Boolean value representing whether the token is an orphan. optional: true - name: jsonPayload.response.data.renewable type: boolean description: Boolean value representing whether the token is an orphan. optional: true - name: jsonPayload.response.data.id type: string description: This is the unique response identifier. optional: true - name: jsonPayload.response.data.path type: string description: The requested Vault path for operation. optional: true - name: jsonPayload.response.data.policies type: object description: This will contain a list of policies associated with the client_token. optional: true - name: jsonPayload.response.data.accessor type: string description: This is an HMAC of the client token accessor. optional: true - name: jsonPayload.response.data.display_name type: string description: This is the display name set by the auth method role or explicitly at secret creation time. optional: true - name: jsonPayload.response.data.entity_id type: string description: This is a token entity identifier. optional: true - name: severity type: string description: '' configuration_options: logs: - type: vault_audit fields: - name: type default: null description: The value must be `vault_audit`. - name: include_paths default: null description: A list of filesystem paths to read by tailing each file. A wild card (`*`) can be used in the paths. - name: exclude_paths default: null description: A list of filesystem path patterns to exclude from the set matched by `include_paths`. - name: record_log_file_path default: false description: If set to `true`, then the path to the specific file from which the log record was obtained appears in the output log entry as the value of the `agent.googleapis.com/log_file_path` label. When using a wildcard, only the path of the file from which the record was obtained is recorded. - name: wildcard_refresh_interval default: 60s description: The interval at which wildcard file paths in `include_paths` are refreshed. Given as a [time duration](https://pkg.go.dev/time#ParseDuration), for example `30s` or `2m`. This property might be useful under high logging throughputs where log files are rotated faster than the default interval. metrics: - type: vault fields: - name: type default: null description: This value must be `vault`. - name: endpoint default: localhost:8200 description: The 'hostname:port' used by Vault. - name: token default: localhost:8200 description: Token used for authentication. - name: metrics_path default: /v1/sys/metrics description: The path for metrics collection. - name: collection_interval default: 60s description: A [time duration](https://pkg.go.dev/time#ParseDuration) value, such as `30s` or `5m`. - name: insecure default: true description: Sets whether or not to use a secure TLS connection. If set to `false`, then TLS is enabled. - name: insecure_skip_verify default: false description: Sets whether or not to skip verifying the certificate. If `insecure` is set to `true`, then the `insecure_skip_verify` value is not used. - name: cert_file default: null description: Path to the TLS certificate to use for mTLS-required connections. - name: key_file default: null description: Path to the TLS key to use for mTLS-required connections. - name: ca_file default: null description: Path to the CA certificate. As a client, this verifies the server certificate. If empty, the receiver uses the system root CA. minimum_supported_agent_version: logging: 2.18.1 metrics: 2.18.2 public_url: https://cloud.google.com/stackdriver/docs/solutions/agents/ops-agent/third-party/vault