Monitoring Hashicorp Vault Requests with Datadog

Rocky Olsen
May 21 · 1 min read

The paid for version of Hashicorp Vault is licensed on a per-request basis. As a FOSS user salivating over their enterprise feature sets, it’s good to know what I’m getting into heading into negotiations.

Thankfully Datadog recently released a Hashicorp Vault intergration!…but it doesn’t support the request counter endpoint (feature request has been submitted). :( This is understandable as the endpoint was only released with the 1.x releases and hasn’t been formally documented yet.

Unlike the status/health endpoints the counters endpoint is authenticated/authorized, so you’ll need to apply the following policy and provision a token.

> vault policy read datadog-agent
path "sys/internal/counters/requests" {
capabilities = ["read", "list"]
}

Once you’ve provisioned a token drop the following file off in /etc/datadog-agent/checks.d/custom_vault.py:

https://github.com/HireVue/hv-datadog-plugins/blob/master/vault/hv_vault.py

Create a config file in /etc/datadog-agent/conf.d/custom_vault.d/custom_vault.yaml containing the following:

At this point you are ready to start graphing your vault requests:

Note: It is worth noting that querying the health/status/requests with the datadog increments your request count, which gets charged against your monthly total requests. Nothing is free.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade