Monitoring Hashicorp Vault Requests with Datadog
The paid for version of Hashicorp Vault is licensed on a per-request basis. As a FOSS user salivating over their enterprise feature sets, it’s good to know what I’m getting into heading into negotiations.
Thankfully Datadog recently released a Hashicorp Vault intergration!…but it doesn’t support the request counter endpoint (feature request has been submitted). :( This is understandable as the endpoint was only released with the 1.x releases and hasn’t been formally documented yet.
Unlike the status/health endpoints the counters endpoint is authenticated/authorized, so you’ll need to apply the following policy and provision a token.
> vault policy read datadog-agent
path "sys/internal/counters/requests" {
capabilities = ["read", "list"]
}
Once you’ve provisioned a token drop the following file off in /etc/datadog-agent/checks.d/custom_vault.py
:
https://github.com/HireVue/hv-datadog-plugins/blob/master/vault/hv_vault.py
Create a config file in /etc/datadog-agent/conf.d/custom_vault.d/custom_vault.yaml
containing the following:
At this point you are ready to start graphing your vault requests:
Note: It is worth noting that querying the health/status/requests with the datadog increments your request count, which gets charged against your monthly total requests. Nothing is free.