Monitor EKM usage

You can use Cloud Monitoring to monitor your external key manager (EKM) connection. The following metrics can help you understand your EKM usage:

• cloudkms.googleapis.com/ekm/external/request_latencies
• cloudkms.googleapis.com/ekm/external/request_count

This page shows you how to create a dashboard to track metrics related to your Cloud EKM keys and external key manager connection, such as request counts and latencies. For more information about these metrics, see cloudkms metrics . For more information about the dashboard creation process described in the following sections, see Managing dashboards by API .

Before you begin

The steps on this page assume the following:

• You already have Cloud EKM set up in a project, including an EKM connection and one or more external keys .

Required roles

To get the permissions that you need to create dashboards using the gcloud CLI, ask your administrator to grant you the following IAM roles on your project:

• Monitoring Dashboard Configuration Editor ( roles/monitoring.dashboardEditor )
• Service Usage Consumer ( roles/serviceusage.serviceUsageConsumer )

For more information about granting roles, see Manage access to projects, folders, and organizations .

These predefined roles contain the permissions required to create dashboards using the gcloud CLI. To see the exact permissions that are required, expand the Required permissionssection:

Required permissions

The following permissions are required to create dashboards using the gcloud CLI:

• monitoring.dashboards.create
• monitoring.dashboards.delete
• monitoring.dashboards.update
• serviceusage.services.use

You might also be able to get these permissions with custom roles or other predefined roles .

Create a dashboard to monitor your EKM

To monitor the status of your EKM, create a dashboard that monitors your request count and latencies:

1. Download the dashboard configuration: ekm-dashboard.json .

2. Create a custom dashboard with the configuration file by running the following command:

   gcloud monitoring dashboards create \
   --config-from-file=ekm-dashboard.json

View your EKM dashboard

1. In the Google Cloud console, go to the Monitoringpage, or use the following button:

   Go to Monitoring

2. Select Resources  > Dashboardsand view the dashboard named Cloud KMS EKM.

Create an alert policy for EKM metrics

Complete the following steps using the gcloud CLI:

1. Select a notification channel to receive EKM metrics alerts.

   • To use an existing notification channel, first view your channels:

     gcloud beta monitoring channels list

     Choose a channel from the list. Make note of the notification channel ID; you need it later.

   • To use a new notification channel, create the channel using an email address:

     gcloud beta monitoring channels create \
     --display-name="Notification channel for EKM latency alert" \
     --description="This notification channel receives EKM latency metric alerts" \
     --type=email \
     --channel-labels=email_address= NOTIFICATION_EMAIL 
     

     If successful, this command returns the name of the new channel. Make note of the notification channel ID; you need it later. The output is similar to the following:

     Created notification channel [projects/ PROJECT_ID 
     /notificationChannels/ NOTIFICATION_CHANNEL_ID 
     ]

2. Create an alerting policy using the monitoring policies create command:

      
   gcloud  
   alpha  
   monitoring  
   policies  
   create  
    \ 
     
   --notification-channels = 
    NOTIFICATION_CHANNEL_ID 
     
    \ 
     
   --aggregation = 
    ' {"alignmentPeriod": "60s","perSeriesAligner": "ALIGN_PERCENTILE_99"}' 
     
    \ 
     
   --condition-display-name = 
    "EKM Request Latency > 150ms" 
     
    \ 
     
   --condition-filter = 
    'resource.type="cloudkms.googleapis.com/Project" 
    metric.type="cloudkms.googleapis.com/ekm/external/request_latencies" 
    metric.labels.ekm_service_region=" LOCATION 
   " 
    metric.labels.method=" LABEL_METHOD 
   "' 
     
    \ 
     
   --duration = 
    "0s" 
     
    \ 
     
   --if = 
    "> 150" 
     
    \ 
     
   --display-name = 
    "EKM metric latency alert" 
     
    \ 
     
   --trigger-count = 
    1 
     
    \ 
     
   --combiner = 
    'AND' 
    
   

   Replace the following:

   • NOTIFICATION_CHANNEL_ID : the ID of the notification channel.
   • LOCATION : the region for which you want to alert on this metric. If you want to alert regardless of region, omit metric.labels.ekm_service_region .
   • LABEL_METHOD : the method label that you want to alert on—for example, wrap , unwrap , asymmetricSign , checkCryptoSpacePermissions , createKey , getInfo , or getPublicKey . You can use Metrics Explorerto explore metric labels.

What's next

• Explore your data across various metric dimensions using Metrics Explorer .
• Optional: Create alerting policies .