Counting lease totals in Vault

There are a few options to obtain the total count of leases in Vault.

1. Using telemetry metrics
2. Using the API
3. Using the vault list command.

In general, using telemetry metrics is the most convenient way if it has been set-up. The listing and lookup approach accordingly using API or vault list command is another quick way to obtain the total count of leases in Vault.

This article will present all three options in detail.

Procedure

• Useful telemetry metrics that can help to obtain the total count of leases include: 
  • • vault.expire.num_leases
    • vault.expire.lease_expiration
    • vault.token.count
    • vault.token.count.by_ttl
    • vault.token.count.by_auth
  • For a full list of telemetry metrics related to Vault, please visit the telemetry docs. Note that Telemetry from Vault must be stored in metrics aggregation software. You may refer to Monitor Telemetry & Audit Device Log Data tutorial to consume operational telemetry metrics for monitoring and alerting.

• The API /sys/leases/lookup/:prefix may be used to perform listing and lookup accordingly - like for example:

  # // List all mount sections you'll need to inspect
  curl -XLIST -H "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/sys/leases/lookup
    # "data": {
    #   "keys": [
    #     "token/
  
  # // For auth type mounts list all of them needing to be checked:
  curl -XLIST -H "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/sys/leases/lookup/auth/token
    # "data": {
    #   "keys": [
    #     "create/"
  curl -XLIST -H "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/sys/leases/lookup/auth/token/create
    # "data":{
    #   "keys": [
    #     "h7c907a7ad318a0da046601cba7f7a9fcbec47009e6db09bc55a4b3690130fbaa
  
  # // using JQ to get a count for the above token-auth path
  curl -XLIST -H "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/sys/leases/lookup/auth/token/create | jq -r ".data.keys[]" | wc -l
  

• • Expand the above example in a for-loop that covers all of your mounts.

• The vault list command can also be used to perform listing and lookup - like for example:

  # // List all mount sections you'll need to inspect
  vault list sys/leases/lookup
  # Keys
  # ----
  # auth/
  
  # // For auth type mounts list all of them needing to be checked:
  vault list sys/leases/lookup/auth/token
  # Keys
  # ----
  # create/
  
  vault list sys/leases/lookup/auth/token/create
  # Keys
  # ----
  # h7c907a7ad318a0da046601cba7f7a9fcbec47009e6db09bc55a4b3690130fbaa
  
  # // Traverse the result from the above token-auth path
  vault list sys/leases/lookup/auth/token/create| tail -n +3 | wc -l

• • Expand the above in a for-loop that covers all of your mounts.

Additional Information

• Vault Support KB: Using Vault Telemetry to help identify unexpected lease generation
• Vault Support KB: Getting warning "lease count exceeds warning lease threshold" in Vault Operational Logs