Introduction
There are a few options to obtain the total count of leases in Vault.
- Using telemetry metrics
- Using the API
- Using the vault list command.
In general, using telemetry metrics is the most convenient way if it has been set-up. The listing and lookup approach accordingly using API or vault list command is another quick way to obtain the total count of leases in Vault.
This article will present all three options in detail.
Procedure
- Using telemetry metrics:
- The list of useful telemetry metrics to obtain the total count of lease in vault include the following:
vault.expire.num_leases
,vault.expire.lease_expiration
,vault.expire.revoke
,vault.expire.register
,vault.token.count
,vault.token.count.by_ttl
,vault.token.count.by_auth
,vault.token.revoke
,vault.token.store
- For a full list of telemetry metrics related to Vault, please visit the telemetry docs. Note that Telemetry from Vault must be stored in metrics aggregation software. You may refer to Monitor Telemetry & Audit Device Log Data tutorial to consume operational telemetry metrics for monitoring and alerting.
- The list of useful telemetry metrics to obtain the total count of lease in vault include the following:
- Using the API:
- Using the API
/sys/leases/lookup/:prefix
to perform listing and lookup accordingly - like for example:
- Using the API
# // List all mount sections you'll need to inspect
curl -s -X LIST -H "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/sys/leases/lookup
# "data": {
# "keys": [
# "token/"
# // For auth type mounts list all of them needing to be checked:
curl -s -X LIST -H "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/sys/leases/lookup/auth/token
# "data": {
# "keys": [
# "create/"
curl -s -X LIST -H "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/sys/leases/lookup/auth/token/create
# "data": {
# "keys": [
# "h7c907a7ad318a0da046601cba7f7a9fcbec47009e6db09bc55a4b3690130fbaa
# // using JQ to get a count for the above token-auth path
curl -s -X LIST -H "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/sys/leases/lookup/auth/token/create | jq -r ".data.keys[]" | wc -l
-
- You may expand the above toward a for-loop that covers all of your mounts.
- Using the vault list command:
- Using the vault list command to perform listing and lookup accordingly - like for example:
# // List all mount sections you'll need to inspect
vault list sys/leases/lookup
# Keys
# ----
# auth/# // For auth type mounts list all of them needing to be checked:
vault list sys/leases/lookup/auth/token
# Keys
# ----
# create/vault list sys/leases/lookup/auth/token/create
# Keys
# ----
# h7c907a7ad318a0da046601cba7f7a9fcbec47009e6db09bc55a4b3690130fbaa# // Parse the result for the above token-auth path
vault list sys/leases/lookup/auth/token/create| tail -n +3 | wc -l
-
- You may expand the above toward a for-loop that covers all of your mounts.