Create a lease count quota
Use lease count quotas to limit the number of leases generated on a per-mount basis and control resource consumption for your Vault instance where hard limits makes sense.
Before you start
- Confirm you have access to the root or administration namespace for your Vault instance. Modifying lease count quotas is a restricted activity.
Step 1: Determine the appropriate granularity
The granularity of your lease limits can affect the performance of your Vault cluster. In particular, if your lease limits cause the number of rejected requests to increase dramatically, the increased audit logging may impact Vault performance.
Review past system behavior to identify whether the quota limits should be inheritable or limited to a specific role.
Step 2: Apply the count quota
Use vault write
and the sys/quotas/lease-count/{quota-name}
mount path to
create a new lease count quota:
$ vault write \ sys/quotas/lease-count/<QUOTA_NAME> \ name="<QUOTA_NAME>" \ path="<PLUGIN_MOUNT_PATH>" \ role="<OPTIONAL_AUTHN_ROLE>" \ max_leases=<LEASE_LIMIT>
For example, to create a targeted quota limit called webapp-tokens on the
webapp
role for the approle
plugin at the default mount path:
$ vault write \ sys/quotas/lease-count/webapp-tokens \ name="webapp-tokens" \ path="auth/approle" \ role="webapp" \ max_leases=100 Success! Data written to: sys/quotas/lease-count/webapp-tokens
Step 3: Confirm the quota settings
Use vault read
and the sys/quotas/lease-count/{quota-name}
mount path to
display the lease count quota details:
$ vault read sys/quotas/lease-count/<QUOTA_NAME>
For example, to read the webapp-tokens quota details:
$ vault read sys/quotas/lease-count/webapp-tokens Key Value--- -----counter 0inheritable truemax_leases 100name webapp-tokenspath auth/approle/role webapptype lease-count
Next steps
Proactive monitoring and periodic usage analysis can help you identify potential problems before they escalate.
- Brush up on general Vault resource quotas in general.
- Learn about lease count quotas for Vault Enterprise.
- Learn how to query audit device logs.
- Review key Vault metrics for common health checks.