Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Anda dapat menggunakan Cloud Monitoring untuk memantau koneksi pengelola kunci eksternal (EKM). Metrik berikut dapat membantu Anda memahami penggunaan EKM:
Halaman ini menunjukkan cara membuat dasbor untuk melacak metrik yang terkait dengan kunci Cloud EKM dan koneksi pengelola kunci eksternal Anda, seperti jumlah permintaan dan latensi. Untuk mengetahui informasi selengkapnya tentang metrik ini, lihat metrik cloudkms. Untuk mengetahui informasi selengkapnya tentang proses pembuatan dasbor yang dijelaskan di bagian berikut, lihat Mengelola dasbor dengan API.
Sebelum memulai
Langkah-langkah di halaman ini mengasumsikan hal berikut:
Anda telah menyiapkan Cloud EKM di project, termasuk
koneksi EKM
dan satu atau beberapa kunci eksternal.
Peran yang diperlukan
Untuk mendapatkan izin yang
diperlukan guna membuat dasbor menggunakan gcloud CLI,
minta administrator untuk memberi Anda
peran IAM berikut di project Anda:
Peran bawaan ini berisi
izin yang diperlukan untuk membuat dasbor menggunakan gcloud CLI. Untuk melihat izin yang benar-benar diperlukan, luaskan bagian Izin yang diperlukan:
Izin yang diperlukan
Izin berikut diperlukan untuk membuat dasbor menggunakan gcloud CLI:
Jika berhasil, perintah ini akan menampilkan nama channel baru. Catat ID saluran notifikasi; Anda akan memerlukannya nanti. Outputnya
mirip dengan yang berikut ini:
Created notification channel [projects/PROJECT_ID/notificationChannels/NOTIFICATION_CHANNEL_ID]
LOCATION: region yang ingin Anda pantau untuk metrik ini. Jika Anda ingin memberikan peringatan terlepas dari wilayah, hapus
metric.labels.ekm_service_region.
LABEL_METHOD: label method yang ingin Anda
gunakan untuk pemberitahuan—misalnya, wrap, unwrap, asymmetricSign,
checkCryptoSpacePermissions, createKey, getInfo, atau
getPublicKey. Anda dapat menggunakan Metrics Explorer untuk menjelajahi
label metrik.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-18 UTC."],[],[],null,["# Monitor EKM usage\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nYou can use Cloud Monitoring to monitor your external key manager (EKM)\nconnection. The following metrics can help you understand your EKM usage:\n\n- `cloudkms.googleapis.com/ekm/external/request_latencies`\n- `cloudkms.googleapis.com/ekm/external/request_count`\n\nThis page shows you how to create a dashboard to track metrics related to your\nCloud EKM keys and external key manager connection, such as request\ncounts and latencies. For more information about these metrics, see\n[cloudkms metrics](/monitoring/api/metrics_gcp_c#gcp-cloudkms). For more\ninformation about the dashboard creation process described in the following\nsections, see\n[Managing dashboards by API](/monitoring/dashboards/api-dashboard).\n\nBefore you begin\n----------------\n\nThe steps on this page assume the following:\n\n- You already have Cloud EKM set up in a project, including an [EKM connection](/kms/docs/create-ekm-connection) and one or more [external keys](/kms/docs/create-external-key).\n\n### Required roles\n\n\nTo get the permissions that\nyou need to create dashboards using the gcloud CLI,\n\nask your administrator to grant you the\nfollowing IAM roles on your project:\n\n- [Monitoring Dashboard Configuration Editor](/iam/docs/roles-permissions/monitoring#monitoring.dashboardEditor) (`roles/monitoring.dashboardEditor`)\n- [Service Usage Consumer](/iam/docs/roles-permissions/serviceusage#serviceusage.serviceUsageConsumer) (`roles/serviceusage.serviceUsageConsumer`)\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nThese predefined roles contain\n\nthe permissions required to create dashboards using the gcloud CLI. To see the exact permissions that are\nrequired, expand the **Required permissions** section:\n\n\n#### Required permissions\n\nThe following permissions are required to create dashboards using the gcloud CLI:\n\n- ` monitoring.dashboards.create `\n- ` monitoring.dashboards.delete `\n- ` monitoring.dashboards.update `\n- ` serviceusage.services.use`\n\n\nYou might also be able to get\nthese permissions\nwith [custom roles](/iam/docs/creating-custom-roles) or\nother [predefined roles](/iam/docs/roles-overview#predefined).\n\nCreate a dashboard to monitor your EKM\n--------------------------------------\n\nTo monitor the status of your EKM, create a dashboard that monitors your\nrequest count and latencies:\n\n1. Download the dashboard configuration:\n [`ekm-dashboard.json`](/static/kms/static/ekm-dashboard.json).\n\n2. Create a custom dashboard with the configuration file by running the\n following command:\n\n ```\n gcloud monitoring dashboards create \\\n --config-from-file=ekm-dashboard.json\n ```\n\nView your EKM dashboard\n-----------------------\n\n1. In the Google Cloud console, go to the **Monitoring** page, or use the\n following button:\n\n [Go to Monitoring](https://console.cloud.google.com/monitoring)\n2. Select **Resources \\\u003e Dashboards** and view the dashboard\n named **Cloud KMS EKM**.\n\nCreate an alert policy for EKM metrics\n--------------------------------------\n\nComplete the following steps using the gcloud CLI:\n\n1. Select a notification channel to receive EKM metrics alerts.\n\n - To use an existing notification channel, first view your channels:\n\n ```\n gcloud beta monitoring channels list\n ```\n\n Choose a channel from the list. Make note of the notification channel\n ID; you need it later.\n - To use a new notification channel, create the channel using an email\n address:\n\n ```\n gcloud beta monitoring channels create \\\n --display-name=\"Notification channel for EKM latency alert\" \\\n --description=\"This notification channel receives EKM latency metric alerts\" \\\n --type=email \\\n --channel-labels=email_address=NOTIFICATION_EMAIL\n ```\n\n If successful, this command returns the name of the new channel. Make\n note of the notification channel ID; you need it later. The output is\n similar to the following: \n\n ```\n Created notification channel [projects/PROJECT_ID/notificationChannels/NOTIFICATION_CHANNEL_ID]\n ```\n2. Create an alerting policy using the [`monitoring policies\n create`](/sdk/gcloud/reference/alpha/monitoring/policies/create) command:\n\n gcloud alpha monitoring policies create \\\n --notification-channels=\u003cvar translate=\"no\"\u003eNOTIFICATION_CHANNEL_ID\u003c/var\u003e \\\n --aggregation=' {\"alignmentPeriod\": \"60s\",\"perSeriesAligner\": \"ALIGN_PERCENTILE_99\"}' \\\n --condition-display-name=\"EKM Request Latency \u003e 150ms\" \\\n --condition-filter='resource.type=\"cloudkms.googleapis.com/Project\"\n metric.type=\"cloudkms.googleapis.com/ekm/external/request_latencies\"\n metric.labels.ekm_service_region=\"\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\"\n metric.labels.method=\"\u003cvar translate=\"no\"\u003eLABEL_METHOD\u003c/var\u003e\"' \\\n --duration=\"0s\" \\\n --if=\"\u003e 150\" \\\n --display-name=\"EKM metric latency alert\" \\\n --trigger-count=1 \\\n --combiner='AND'\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNOTIFICATION_CHANNEL_ID\u003c/var\u003e: the ID of the notification channel.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the region for which you want to alert on this metric. If you want to alert regardless of region, omit `metric.labels.ekm_service_region`.\n - \u003cvar translate=\"no\"\u003eLABEL_METHOD\u003c/var\u003e: the `method` label that you want to alert on---for example, `wrap`, `unwrap`, `asymmetricSign`, `checkCryptoSpacePermissions`, `createKey`, `getInfo`, or `getPublicKey`. You can use **Metrics Explorer** to explore metric labels.\n\nWhat's next\n-----------\n\n- [Explore your data across various metric dimensions using\n Metrics Explorer](/monitoring/charts/metrics-explorer).\n- Optional: Create [alerting policies](/monitoring/alerts)."]]