Microsoft Azure Key Vault

Overview

Azure Key Vault is used to safeguard and manage cryptographic keys and secrets used by cloud applications and services.

Use the Datadog Azure integration to collect metrics from Azure Key Vault.

Setup

Installation

If you haven’t already, set up the Microsoft Azure integration first. There are no other installation steps.

Data Collected

Metrics

azure.keyvault_vaults.service_api_hit
(count)		Number of total service api hits
Shown as request
azure.keyvault_vaults.service_api_latency
(gauge)		Overall latency of service api requests
Shown as millisecond
azure.keyvault_vaults.service_api_result
(count)		Number of total service api results
Shown as response
azure.keyvault_vaults.status
(gauge)		Status of Azure Key Vault (deprecated)
azure.keyvault_vaults.saturation_shoebox
(gauge)		Vault capacity used
Shown as percent
azure.keyvault_vaults.availability
(gauge)		Vault requests availability
Shown as percent
azure.keyvault_vaults.count
(gauge)		The count of all Azure Key Vault resources
azure.keyvault_managedhsms.availability
(gauge)		Service requests availability
Shown as percent
azure.keyvault_managedhsms.service_api_hit
(count)		Number of total service api hits
Shown as request
azure.keyvault_managedhsms.service_api_latency
(gauge)		Overall latency of service api requests
Shown as millisecond

Events

Datadog sends credential expiry events, which grant visibility into credential expirations for Azure app registrations, Key Vault keys, Key Vault secrets, and Key Vault certificates. The Azure Key Vault integration must be installed to receive events for Key Vault keys, Key Vault secrets, and Key Vault certificates.

  • Expiration events are sent 60, 30, 15, and 1 day(s) before credential expiration, and once after expiration.
  • Missing permission events are sent every 15 days. A missing permission event lists the Key Vaults for which Datadog has not been given permissions. If no changes have been made regarding Key Vault permissions in the previous 15-day cycle, the event notification is not sent again.

You can view these events in Event Explorer.

Notes:

  • To collect Azure app registration expiration events, enable access to the Microsoft Graph API.
  • If a certificate and its associated key and secret expire at the exact same time, one expiration event is sent for all resources.

Service Checks

The Azure Key Vault integration does not include any service checks.

Troubleshooting

Need help? Contact Datadog support.

Further reading

Additional helpful documentation, links, and articles:

Monitor expiration events from Azure Key VaultBLOG more more
PREVIEWING: may/unit-testing