Oracle Cloud Infrastructure Documentation

Key Management Metrics

You can monitor the usage of your Key Management service master encryption keys by using metrics , alarms , and notifications. For more information, see Monitoring Overview and Notifications Overview.

This topic describes the metrics emitted by the Key Management service in the oci_kms_keys namespace.

Resources: master encryption keys.

Overview of the Key Management Service Metrics

The Key Management service metrics help you measure the success and error count of cryptographic operations. You can use metrics data to diagnose and troubleshoot problems with keys.

To view a default set of metrics charts in the Console, navigate to the key that you're interested in, and then click Metrics. You also can use the Monitoring service to create custom queries.


IAM policies: To monitor resources, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. The policy must give you access to the monitoring services as well as the resources being monitored. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in. For more information on user authorizations for monitoring, see the Authentication and Authorization section for the related service: Monitoring or Notifications.

Available Metrics: oci_kms_keys

The metrics listed in the following table are automatically available for any master encryption keys that you create. You do not need to enable monitoring on the resource to get these metrics.

Key Management service metrics for keys include the following dimensions :

The friendly name of the resource to which the metrics apply.
The OCID  of the resource to which the metrics apply.
The HTTP response code to the cryptographic operation to which the metrics apply.
Metric Metric Display Name Unit Description Dimensions


Encrypt Response Count


HTTP responses received by the service for Encrypt calls.





Response Count


HTTP responses received by the service for Decrypt calls.


GenerateDataEncryptionKey Response Count


HTTP responses received by the service for GenerateDataEncryptionKey calls.

Using the Console

To view default metric charts for a single master encryption key
To view default metric charts for multiple master encryption keys

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following APIs for monitoring: