Vault 1.17.0 release notes
GA date: 2024-06-12
Release notes provide an at-a-glance summary of key updates to new versions of Vault. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Vault code on GitHub.
We encourage you to upgrade to the latest release of Vault to take advantage of continuing improvements, critical fixes, and new features.
Important changes
| Change | Description |
|---|---|
| New default (1.17) | Allowed audit headers now have unremovable defaults |
| Opt out feature (1.17) | PKI sign-intermediate now truncates notAfter field to signing issuer |
| Beta feature deprecated (1.17) | Request limiter deprecated |
| Known issue (1.17.0+) | PKI OCSP GET requests can return HTTP redirect responses |
| Known issue (1.17.0) | Vault Agent and Vault Proxy consume excessive amounts of CPU |
| Known issue (1.15.8 - 1.15.9, 1.16.0 - 1.16.3) | Autopilot upgrade for Vault Enterprise fails |
| Known issue (1.17.0 - 1.17.2) | Vault standby nodes not deleting removed entity-aliases from in-memory database |
| Known Issue (0.7.0+) | Duplicate identity groups created |
| Known Issue (0.7.0+) | Manual entity merges fail |
| Known Issue (1.17.3-1.17.4) | Some values in the audit logs not hmac'd properly |
| Known Issue (1.17.0-1.17.5) | Cached activation flags for secrets sync on follower nodes are not updated |
Vault companion updates
Companion updates are Vault updates that live outside the main Vault binary.
None.
Core updates
Follow the learn more links for more information, or browse the list of Vault tutorials updated to highlight changes for the most recent GA release.
| Release | Update | Description |
|---|---|---|
| Security patches | ENHANCED | Various security improvements to remediate varying severity and informational findings from a 3rd party security audit. |
| Vault Agent and Vault Proxy self-healing tokens | ENHANCED | Auto-authentication avoids agent/proxy restarts and config changes by automatically re-authenticating authN tokens to Vault. Learn more: Vault Agent and Vault Proxy auto-auth |
Enterprise updates
| Release | Update | Description |
|---|---|---|
| Adaptive overload protection | BETA | Prevent client requests from overwhelming a variety of server resources that could lead to poor server availability. Learn more: Adaptive overload protection overview |
| ACME Client Count | ENHANCED | To improve clarity around client counts, Vault now separates ACME clients from non-entity clients. |
| Public Key Infrastructure (PKI) | GA | Automate certificate lifecycle management for IoT/EST enabled devices with native EST protocol support. Learn more: Enrollment over Secure Transport (EST) overview |
| GA | Submit custom metadata with certificate requests and store the additional information in Vault for further analysis. Learn more: PKI secrets engine API | |
| Resource management | ENHANCED | Vault now supports a greater number of namespaces and mounts for large-scale Vault installations. |
| GA | Use hierarchical mount paths to organize, manage, and control access to secret engine objects. | |
| GA | Safely override the max entry size to set different limits for specific storage entries that contain mount tables, auth tables and namespace configuration data. Learn more: max_mount_and_namespace_table_entry_size parameter | |
| Transit | GA | Use cipher-based message authentication code (CMAC) with AES symmetric keys in the Vault Transit plugin. Learn more: CMAC support |
| Plugin identity tokens | GA | Enable AWS, Azure, and GCP authentication flows with workload identity federation (WIF) tokens from the associated secrets plugins without explicitly configuring sensitive security credentials. Learn more: Plugin WIF overview |
| LDAP Secrets Engine | GA | Use hierarchical paths with roles and set names to define policies that map 1-1 to LDAP secrets engine roles. Learn more: Hierarchical paths overview |
| Clock skew and lag detection | GA | Use the sys/health and sys/ha-status endpoints to display lags in performance secondaries and performance standby nodes.Learn more: Clock skew and replication lag overview |
Feature deprecations and EOL
| Deprecated in 1.17 | Retired in 1.17 |
|---|---|
| None | Centrify Auth plugin |
Please refer to the Deprecation Plans and Notice page for up-to-date information on feature deprecations and plans or the Feature Deprecation FAQ for general questions about our deprecation process.