Skip to content

Metrics

Secret Agent publishes metrics to a Prometheus endpoint and to the log ticker.

Prometheus configuration

To expose a Prometheus metrics endpoint, configure the HTTP or HTTPS service in the Secret Agent configuration file:

service:
  http:
    endpoint: 0.0.0.0:8080
    metrics:
      prometheus: {}

With the default base path, the Prometheus endpoint is at /manage/rest/v1/prometheus (full URL for HTTP: http://localhost:8080/manage/rest/v1/prometheus). You can set a custom base path with service.http.metrics.prometheus.url-base-path or service.https.metrics.prometheus.url-base-path. See Configure HTTP and HTTPS for validation rules and examples.

Secret Agent exposes metrics for:

  • Listeners (TCP, UDS)
  • Secret managers (AWS, GCP)

All metrics include a module label whose value identifies the module emitting the metric.

Listener metrics

Metric nameDescriptionModulesType
aerospike_sa_connections_activeNumber of active connectionsTCP, UDSGauge
aerospike_sa_connections_openNumber of opened connectionsTCP, UDSCounter
aerospike_sa_connections_closedNumber of closed connectionsTCP, UDSCounter
aerospike_sa_connections_errNumber of connection errorsTCP, UDSCounter
aerospike_sa_read_errNumber of read errors on connectionsTCP, UDSCounter
aerospike_sa_write_errNumber of write errors on connectionsTCP, UDSCounter
aerospike_sa_tls_errNumber of TLS handshake errorsTCP, UDSCounter
aerospike_sa_parse_errNumber of request parsing errorsTCP, UDSCounter

Secret manager metrics

Metric nameDescriptionModulesType
aerospike_sa_successNumber of successful fetch requestsAWS, GCPCounter
aerospike_sa_fetch_latency_p50p50 latency for fetch requestsAWS, GCPGauge
aerospike_sa_fetch_latency_p95p95 latency for fetch requestsAWS, GCPGauge
aerospike_sa_resource_errNumber of errors from invalid resource names in requestsAWS, GCPCounter
aerospike_sa_fetch_errNumber of errors fetching secrets from the external secret managerAWS, GCPCounter
aerospike_sa_key_not_found_errNumber of errors where the requested key is not found in the secretAWSCounter
aerospike_sa_session_errNumber of errors creating a client session to the external secret managerAWS, GCPCounter
aerospike_sa_role_errNumber of errors assuming a role (AWS) or impersonating (GCP)AWS, GCPCounter

Custom labels

You can add custom labels to Prometheus metrics. Define labels as key-value pairs in the metrics context:

service:
  http:
    endpoint: 0.0.0.0:8080
    metrics:
      prometheus:
        labels:
          label1: val1
          label2: val2

Log ticker

In addition to Prometheus metrics, Secret Agent prints metrics to the log every 10 seconds.

The log ticker format is:

<module name>: <metric1> <val1>, <metric2> <val2>, ...

Example log ticker output:

[INFO] 2023/09/09 11:22:34 metrics.go:65: tcp: connections_active 1, connections_opened 2, connections_closed 1, connections_err 0, read_err 0, write_err 0, tls_err 0, parse_err 0
[INFO] 2023/09/09 11:22:34 metrics.go:65: uds: connections_active 0, connections_opened 0, connections_closed 0, connections_err 0, read_err 0, write_err 0, tls_err 0, parse_err 0
[INFO] 2023/09/09 11:22:34 metrics.go:65: aws: success 2, fetch_latency_p50 38, fetch_latency_p95 108, resource_err 0, fetch_err 0, key_not_found_err 0, session_err 0, role_err 0
Feedback

Was this page helpful?

What type of feedback are you giving?

What would you like us to know?

+Capture screenshot

Can we reach out to you?