This page shows you how to create a dashboard to track metrics related to your
Cloud EKM keys and external key manager connection, such as request
counts and latencies. For more information about these metrics, seecloudkms metrics. For more
information about the dashboard creation process described in the following
sections, seeManaging dashboards by API.
To get the permissions that
you need to create dashboards using the gcloud CLI,
ask your administrator to grant you the
following IAM roles on your project:
These predefined roles contain
the permissions required to create dashboards using the gcloud CLI. To see the exact permissions that are
required, expand theRequired permissionssection:
Required permissions
The following permissions are required to create dashboards using the gcloud CLI:
If successful, this command returns the name of the new channel. Make
note of the notification channel ID; you need it later. The output is
similar to the following:
Created notification channel [projects/PROJECT_ID/notificationChannels/NOTIFICATION_CHANNEL_ID]
NOTIFICATION_CHANNEL_ID: the ID of the notification channel.
LOCATION: the region for which you want to alert on this
metric. If you want to alert regardless of region, omitmetric.labels.ekm_service_region.
LABEL_METHOD: themethodlabel that you want to
alert on—for example,wrap,unwrap,asymmetricSign,checkCryptoSpacePermissions,createKey,getInfo, orgetPublicKey. You can useMetrics Explorerto explore
metric labels.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Monitor EKM usage\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nYou can use Cloud Monitoring to monitor your external key manager (EKM)\nconnection. The following metrics can help you understand your EKM usage:\n\n- `cloudkms.googleapis.com/ekm/external/request_latencies`\n- `cloudkms.googleapis.com/ekm/external/request_count`\n\nThis page shows you how to create a dashboard to track metrics related to your\nCloud EKM keys and external key manager connection, such as request\ncounts and latencies. For more information about these metrics, see\n[cloudkms metrics](/monitoring/api/metrics_gcp_c#gcp-cloudkms). For more\ninformation about the dashboard creation process described in the following\nsections, see\n[Managing dashboards by API](/monitoring/dashboards/api-dashboard).\n\nBefore you begin\n----------------\n\nThe steps on this page assume the following:\n\n- You already have Cloud EKM set up in a project, including an [EKM connection](/kms/docs/create-ekm-connection) and one or more [external keys](/kms/docs/create-external-key).\n\n### Required roles\n\n\nTo get the permissions that\nyou need to create dashboards using the gcloud CLI,\n\nask your administrator to grant you the\nfollowing IAM roles on your project:\n\n- [Monitoring Dashboard Configuration Editor](/iam/docs/roles-permissions/monitoring#monitoring.dashboardEditor) (`roles/monitoring.dashboardEditor`)\n- [Service Usage Consumer](/iam/docs/roles-permissions/serviceusage#serviceusage.serviceUsageConsumer) (`roles/serviceusage.serviceUsageConsumer`)\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nThese predefined roles contain\n\nthe permissions required to create dashboards using the gcloud CLI. To see the exact permissions that are\nrequired, expand the **Required permissions** section:\n\n\n#### Required permissions\n\nThe following permissions are required to create dashboards using the gcloud CLI:\n\n- ` monitoring.dashboards.create `\n- ` monitoring.dashboards.delete `\n- ` monitoring.dashboards.update `\n- ` serviceusage.services.use`\n\n\nYou might also be able to get\nthese permissions\nwith [custom roles](/iam/docs/creating-custom-roles) or\nother [predefined roles](/iam/docs/roles-overview#predefined).\n\nCreate a dashboard to monitor your EKM\n--------------------------------------\n\nTo monitor the status of your EKM, create a dashboard that monitors your\nrequest count and latencies:\n\n1. Download the dashboard configuration:\n [`ekm-dashboard.json`](/static/kms/static/ekm-dashboard.json).\n\n2. Create a custom dashboard with the configuration file by running the\n following command:\n\n ```\n gcloud monitoring dashboards create \\\n --config-from-file=ekm-dashboard.json\n ```\n\nView your EKM dashboard\n-----------------------\n\n1. In the Google Cloud console, go to the **Monitoring** page, or use the\n following button:\n\n [Go to Monitoring](https://console.cloud.google.com/monitoring)\n2. Select **Resources \\\u003e Dashboards** and view the dashboard\n named **Cloud KMS EKM**.\n\nCreate an alert policy for EKM metrics\n--------------------------------------\n\nComplete the following steps using the gcloud CLI:\n\n1. Select a notification channel to receive EKM metrics alerts.\n\n - To use an existing notification channel, first view your channels:\n\n ```\n gcloud beta monitoring channels list\n ```\n\n Choose a channel from the list. Make note of the notification channel\n ID; you need it later.\n - To use a new notification channel, create the channel using an email\n address:\n\n ```\n gcloud beta monitoring channels create \\\n --display-name=\"Notification channel for EKM latency alert\" \\\n --description=\"This notification channel receives EKM latency metric alerts\" \\\n --type=email \\\n --channel-labels=email_address=NOTIFICATION_EMAIL\n ```\n\n If successful, this command returns the name of the new channel. Make\n note of the notification channel ID; you need it later. The output is\n similar to the following: \n\n ```\n Created notification channel [projects/PROJECT_ID/notificationChannels/NOTIFICATION_CHANNEL_ID]\n ```\n2. Create an alerting policy using the [`monitoring policies\n create`](/sdk/gcloud/reference/alpha/monitoring/policies/create) command:\n\n gcloud alpha monitoring policies create \\\n --notification-channels=\u003cvar translate=\"no\"\u003eNOTIFICATION_CHANNEL_ID\u003c/var\u003e \\\n --aggregation=' {\"alignmentPeriod\": \"60s\",\"perSeriesAligner\": \"ALIGN_PERCENTILE_99\"}' \\\n --condition-display-name=\"EKM Request Latency \u003e 150ms\" \\\n --condition-filter='resource.type=\"cloudkms.googleapis.com/Project\"\n metric.type=\"cloudkms.googleapis.com/ekm/external/request_latencies\"\n metric.labels.ekm_service_region=\"\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\"\n metric.labels.method=\"\u003cvar translate=\"no\"\u003eLABEL_METHOD\u003c/var\u003e\"' \\\n --duration=\"0s\" \\\n --if=\"\u003e 150\" \\\n --display-name=\"EKM metric latency alert\" \\\n --trigger-count=1 \\\n --combiner='AND'\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNOTIFICATION_CHANNEL_ID\u003c/var\u003e: the ID of the notification channel.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the region for which you want to alert on this metric. If you want to alert regardless of region, omit `metric.labels.ekm_service_region`.\n - \u003cvar translate=\"no\"\u003eLABEL_METHOD\u003c/var\u003e: the `method` label that you want to alert on---for example, `wrap`, `unwrap`, `asymmetricSign`, `checkCryptoSpacePermissions`, `createKey`, `getInfo`, or `getPublicKey`. You can use **Metrics Explorer** to explore metric labels.\n\nWhat's next\n-----------\n\n- [Explore your data across various metric dimensions using\n Metrics Explorer](/monitoring/charts/metrics-explorer).\n- Optional: Create [alerting policies](/monitoring/alerts)."]]
