Telemtry unauthenticated_metrics_access configuration


We have Hashicorp Vault deployed with 5 nodes in an AWS account. Integrated storage (Raft) will be used in the vault cluster. The cluster is behind an ELB.

According to the documentation (Telemetry - Configuration | Vault by HashiCorp), the /v1/sys/metrics endpoint is only accessible on active nodes and automatically disabled on standby nodes. so it means that obtain metrics can be done through individual ACTIVE node, and NOT standby node. But, the loadbalancer sends requests to all nodes, so if the request reaches to a standby node, then the node cannot provide response on /sys/metrics endpoint.

Documentation says that, you can enable the /v1/sys/metrics endpoint on standby nodes by enabling unauthenticated metrics access. But after adding the unauthenticated metrics access configuration, then the metrics are accessible without any bearer_token or bearer_token_file that might cause security issue later.

Is there any way to solve the issue? So I should say that how we can enable the metrics endpoint on standby nodes with authentication enabled.


Use different ports on your NLB. One for distributing to all (the default port for your clients) and then use a different binding with a health check to get your leader IP only.