This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

You can use Cloud Monitoring to monitor your external key manager (EKM)connection. The following metrics can help you understand your EKM usage:

• cloudkms.googleapis.com/ekm/external/request_latencies
• cloudkms.googleapis.com/ekm/external/request_count

This page shows you how to create a dashboard to track metrics related to yourCloud EKM keys and external key manager connection, such as requestcounts and latencies. For more information about these metrics, seecloudkms metrics. For moreinformation about the dashboard creation process described in the followingsections, seeManaging dashboards by API.

Before you begin

The steps on this page assume the following:

• You already have Cloud EKM set up in a project, including anEKM connectionand one or moreexternal keys.

Required roles

To get the permissions that you need to create dashboards using the gcloud CLI, ask your administrator to grant you the following IAM roles on your project:

• Monitoring Dashboard Configuration Editor (roles/monitoring.dashboardEditor)
• Service Usage Consumer (roles/serviceusage.serviceUsageConsumer)

For more information about granting roles, seeManage access to projects, folders, and organizations.

These predefined roles contain the permissions required to create dashboards using the gcloud CLI. To see the exact permissions that are required, expand theRequired permissions section:

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Create a dashboard to monitor your EKM

To monitor the status of your EKM, create a dashboard that monitors yourrequest count and latencies:

1. Download the dashboard configuration:ekm-dashboard.json.

2. Create a custom dashboard with the configuration file by running thefollowing command:

   gcloud monitoring dashboards create \--config-from-file=ekm-dashboard.json

View your EKM dashboard

1. In the Google Cloud console, go to theMonitoring page, or use thefollowing button:

   Go to Monitoring

2. SelectResources > Dashboards and view the dashboardnamedCloud KMS EKM.

Create an alert policy for EKM metrics

Complete the following steps using the gcloud CLI:

1. Select a notification channel to receive EKM metrics alerts.

   • To use an existing notification channel, first view your channels:

     gcloud beta monitoring channels list

     Choose a channel from the list. Make note of the notification channelID; you need it later.

   • To use a new notification channel, create the channel using an emailaddress:

     gcloud beta monitoring channels create \--display-name="Notification channel for EKM latency alert" \--description="This notification channel receives EKM latency metric alerts" \--type=email \--channel-labels=email_address=NOTIFICATION_EMAIL

     If successful, this command returns the name of the new channel. Makenote of the notification channel ID; you need it later. The output issimilar to the following:

     Created notification channel [projects/PROJECT_ID/notificationChannels/NOTIFICATION_CHANNEL_ID]

2. Create an alerting policy using themonitoring policiescreate command:

   gcloudmonitoringpoliciescreate\--notification-channels=NOTIFICATION_CHANNEL_ID\--aggregation=' {"alignmentPeriod": "60s","perSeriesAligner": "ALIGN_PERCENTILE_99"}'\--condition-display-name="EKM Request Latency > 150ms"\--condition-filter='resource.type="cloudkms.googleapis.com/Project"                            metric.type="cloudkms.googleapis.com/ekm/external/request_latencies"                            metric.labels.ekm_service_region="LOCATION"                            metric.labels.method="LABEL_METHOD"'\--duration="0s"\--if="> 150"\--display-name="EKM metric latency alert"\--trigger-count=1\--combiner='AND'

   Replace the following:

   • NOTIFICATION_CHANNEL_ID: the ID of the notification channel.
   • LOCATION: the region for which you want to alert on thismetric. If you want to alert regardless of region, omitmetric.labels.ekm_service_region.
   • LABEL_METHOD: themethod label that you want toalert on—for example,wrap,unwrap,asymmetricSign,checkCryptoSpacePermissions,createKey,getInfo, orgetPublicKey. You can useMetrics Explorer to exploremetric labels.

What's next

• Explore your data across various metric dimensions usingMetrics Explorer.
• Optional: Createalerting policies.