Adin Hodovic
vault-monitoring-with-prometheus-and-grafana-overview-1

Vault Monitoring with Prometheus and Grafana

Published on May 21, 2026, 12:00 UTC 4 minutes New!

Vault is usually on the critical path for database credentials, PKI, application secrets, and service authentication. If Vault is sealed, has no active node, or starts returning 5xx responses, applications can fail in ways that are hard to debug from the application side. This post covers scraping Vault metrics with Prometheus and monitoring them with Grafana using the vault-mixin.

The mixin can be found on GitHub. It contains one Grafana dashboard and a set of Prometheus alerts:

  • Vault Overview - A dashboard that provides an overview of Vault health, request rates, Raft state, tokens, audit logs, and Go runtime metrics.

Issues and feedback are welcome in the GitHub repository.

Prerequisites

The mixin assumes that Prometheus is scraping Vault's metrics endpoint. Vault exposes Prometheus metrics on /v1/sys/metrics?format=prometheus on the API port, which is 8200 by default.

Enable unauthenticated metrics access in the Vault config so Prometheus can scrape the endpoint:

telemetry {
  unauthenticated_metrics_access = true
}

If you're using the prometheus-operator, a ServiceMonitor can look like this:

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: vault
  namespace: vault
  labels:
    app.kubernetes.io/name: vault
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: vault
  endpoints:
    - port: http
      path: /v1/sys/metrics
      params:
        format: ["prometheus"]
      scheme: http
      interval: 30s
      scrapeTimeout: 10s
      metricRelabelings:
        - sourceLabels: [cluster]
          targetLabel: exported_cluster
          action: replace
        - regex: ^cluster$
          action: labeldrop

The relabeling is useful in multi-cluster Prometheus setups. Vault emits a cluster label set to its internal cluster_name. If Prometheus also injects an external cluster label, the labels collide. The example above keeps Vault's internal value as exported_cluster.

Some panels require Vault telemetry gauges that are only emitted when the related Vault features are configured. Token breakdown panels require token usage gauge collection, and audit panels require Vault audit telemetry metrics.

Grafana dashboards

Vault Overview

The Grafana dashboard provides an overview of Vault. It includes the following rows:

  • Filters - Allows us to filter by cluster, namespace, job, Vault cluster, Vault namespace, and instance.
  • Summary - Displays unsealed nodes, total nodes, scrape health, active leases, irrevocable leases, and in-flight requests.
  • Responses - Shows response rate by status type and the Vault response success rate.
  • Mounts - Shows mount table entries and mount table size by type.
  • Cluster - Displays active node state, Autopilot health, failure tolerance, replication status, leadership changes, Raft commit latency, Raft apply rate, and peer indexes.
  • Raft storage - Displays BoltDB page usage, free pages, write count, and write time by database.
  • Requests - Shows request rate, login request rate, and request latency.
  • Tokens - Displays available tokens, tokens by auth method, and token operations.
  • Audit - Shows audit request and response rates, alongside audit logging failures.
  • Runtime - Displays Go runtime and process metrics such as memory, goroutines, GC, allocations, CPU, open file descriptors, and cache hit rate.

vault-overview

The runtime row is intentionally small. If you want a deeper view into Go runtime internals, pair this dashboard with the Go / Overview dashboard from the go-mixin project.

Alerts

Alerts are trickier to get right for a generic use case, however they're still provided by the vault-mixin. You can configure alerts using the config.libsonnet file in the repository. If you're familiar with Jsonnet, customizing these alerts is straightforward. The alerts can be found on GitHub, and I'll add a description for the alerts below.

  • VaultSealed - Alerts when a Vault instance is sealed. This is a critical alert because the instance cannot serve normal secret operations until it is unsealed.
  • VaultTooManyInfinityTokens - Alerts when an instance has more than three non-expiring tokens for five minutes. Long-lived tokens are sometimes needed, but they should be rare and easy to account for.
  • VaultAutopilotUnhealthy - Alerts when Vault Autopilot reports an unhealthy state for five minutes. This usually points to Raft cluster health problems.
  • VaultNoActiveNode - Alerts when a Vault cluster has no active node for five minutes. Without an active node, the cluster cannot handle normal requests.
  • VaultLowResponseSuccessRate - Alerts when fewer than 95% of Vault responses are non-5xx responses and the instance is returning more than one 5xx response per second. This helps avoid alerting on a single failed request.
  • VaultRaftFSMPendingHigh - Alerts when a Raft peer has more than 100 pending FSM operations for five minutes. A growing pending queue can mean Raft is falling behind.
  • VaultAuditFailures - Alerts when Vault audit request or response logging failures occur for five minutes. Audit logging failures should be treated seriously because Vault audit logs are often required for incident response and compliance.
grafana jsonnet kubernetes mixin monitoring vault

Related Posts

October 27, 2024 6 minutes

Configuring VPA to Use Historical Metrics for Recommendations and Expose Them in Kube-state-metrics

The Vertical Pod Autoscaler (VPA) can manage both your pods' resource requests but also recommend what the limits and requests for a pod should be. Recently, the kube-state-metrics project removed built-in support for VPA recommendation metrics, which made the VPA require additional configuration to be valuable. This blog post will cover how to configure the VPA to expose the recommendation metrics and how to visualize them in Grafana.

grafana jsonnet kube-state-metrics kubernetes mixin monitoring prometheus vpa
November 18, 2024 6 minutes

Configuring Kube-prometheus-stack Dashboards and Alerts for K3s Compatibility

The kube-prometheus-stack Helm chart, which deploys the kubernetes-mixin, is designed for standard Kubernetes setups, often pre-configured for specific cloud environments. However, these configurations are not directly compatible with k3s, a lightweight Kubernetes distribution. Since k3s lacks many of the default cloud integrations, issues arise, such as missing metrics, broken graphs, and unavailable endpoints (example issue). This blog post will guide you through adapting the kube-prometheus-stack Helm chart and the kubernetes-mixin to work seamlessly in k3s environments, ensuring functional dashboards and alerts tailored to k3s.

grafana jsonnet k3s kubernetes mixin monitoring prometheus
August 20, 2025 5 minutes

KEDA Monitoring With Prometheus and Grafana

KEDA is a tool that provides event-driven autoscaling for Kubernetes, allowing you to scale your applications based on external metrics. It uses the Kubernetes Horizontal Pod Autoscaler (HPA) to adjust the number of pods in a deployment based on metrics like CPU usage, memory usage, or custom metrics from external sources. It also supports scaling based on event sources like message queues, databases as a job and defines a new Custom Resource Definition (CRD) called ScaledJob to configure the scaling behavior. Monitoring KEDA effectively is crucial to ensure that your autoscaling policies are working as expected and that your applications are performing optimally.

autoscaling grafana jsonnet keda kubernetes mixin monitoring prometheus