Azure Keyvault Exporter

Prometheus exporter for Azure KeyVaults which exports general information and dates (created, updated, notBefore, expiry) for secrets, keys and certificates.

Configuration

Usage:
  azure-keyvault-exporter [OPTIONS]

Application Options:
      --log.level=[trace|debug|info|warning|error] Log level (default: info) [$LOG_LEVEL]
      --log.format=[logfmt|json]                   Log format (default: logfmt) [$LOG_FORMAT]
      --log.source=[|short|file|full]              Show source for every log message (useful for debugging and bug reports) [$LOG_SOURCE]
      --log.color=[|auto|yes|no]                   Enable color for logs [$LOG_COLOR]
      --log.time                                   Show log time [$LOG_TIME]
      --azure.environment=                         Azure environment name (default: AZUREPUBLICCLOUD) [$AZURE_ENVIRONMENT]
      --azure.subscription=                        Azure subscription ID (space delimiter) [$AZURE_SUBSCRIPTION_ID]
      --azure.resource-tag=                        Azure Resource tags (space delimiter) (default: owner) [$AZURE_RESOURCE_TAG]
      --keyvault.filter=                           Filter KeyVaults via ResourceGraph kusto filter, query: 'resource | ${filter} | project id' [$KEYVAULT_FILTER]
      --keyvault.content.tag=                      KeyVault content (secret, key, certificates) tags (space delimiter) [$KEYVAULT_CONTENT_TAG]
      --cache.path=                                Cache path (to folder, file://path... or azblob://storageaccount.blob.core.windows.net/containername) [$CACHE_PATH]
      --scrape.time=                               Default scrape time (time.duration) (default: 5m) [$SCRAPE_TIME]
      --scrape.concurrency=                        Defines who many Keyvaults can be scraped at the same time (default: 10) [$SCRAPE_CONCURRENCY]
      --server.bind=                               Server address (default: :8080) [$SERVER_BIND]
      --server.timeout.read=                       Server read timeout (default: 5s) [$SERVER_TIMEOUT_READ]
      --server.timeout.write=                      Server write timeout (default: 10s) [$SERVER_TIMEOUT_WRITE]

Help Options:
  -h, --help                                       Show this help message

for Azure API authentication (using ENV vars) see following documentations:

• https://github.com/webdevops/go-common/blob/main/azuresdk/README.md
• https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication

Metrics

Metric	Description
azurerm_keyvault_info	Azure KeyVault information
azurerm_keyvault_status	Azure KeyVault status information (eg. if accessable from exporter)
azurerm_keyvault_entries	Count of entries (seperated by type) inside Azure KeyVault
azurerm_keyvault_key_info	General inforamtions about keys
azurerm_keyvault_key_status	Status information (notBefore & expiry date)
azurerm_keyvault_secret_info	General inforamtions about secrets
azurerm_keyvault_secret_status	Status information (notBefore & expiry date)
azurerm_keyvault_certificate_info	General inforamtions about certificate
azurerm_keyvault_certificate_status	Status information (notBefore & expiry date)

ResourceTags handling

see armclient tagmanager documentation

AzureTracing metrics

see armclient tracing documentation

Caching

see prometheus collector cache documentation