HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.10.x. View latest version.

Overview

This page contains the list of deprecations and important or breaking changes for Vault 1.7.x compared to 1.6. Please read it carefully.

Go Version

Vault 1.7.8 and higher are built with Go 1.16. Please review the Go Release Notes for full details. Vault 1.7.0-1.7.7 are built with Go 1.15.

Barrier Key Auto-Rotation

If your Vault installation is at least a year old, the barrier key will be automatically rotated once, and then subsequently will be rotated per the settings in the new sys/rotate/config endpoint. This is a precaution to ensure the number of encryptions performed by the barrier key is fewer than that recommended by NIST SP 800-38D.

AWS Auth Endpoint Changes and Deprecations

AWS Auth concepts and endpoints that use the "whitelist" and "blacklist" terms have been updated to more inclusive language (e.g. /auth/aws/identity-whitelist has been updated to/auth/aws/identity-accesslist). The old and new endpoints are aliases, sharing the same underlying data. The legacy endpoint names are considered deprecated and will be removed in a future release (not before Vault 1.9). The complete list of endpoint changes is available in the AWS Auth API docs.

Alpine 3.14

Docker images for Vault 1.6.6+, 1.7.4+, and 1.8.2+ are built with Alpine 3.14, due to a security issue in Alpine 3.13 (CVE-2021-36159). Some users on older versions of Docker may run into issues with these images. See the following for more details:

Entity Alias mapping

Previously, an entity in Vault could be mapped to multiple entity aliases on the same authentication backend. This led to a potential security vulnerability (CVE-2021-43998), as ACL policies templated with alias information would match the first alias created. Thus, tokens created from all aliases of the entity, will have access to the paths containing alias metadata of the first alias due to templated policies being incorrectly applied. As a result, the mapping behavior was updated such that an entity can only have one alias per authentication backend. This change exists in Vault 1.9.0+, 1.8.5+ and 1.7.6+.

Known Issues

Due to the known issue, Transform Secrets Engine users are recommended to upgrade to version 1.7.0. Due to the known issue, Lease Count Quota users with DR Secondaries are recommended to upgrade to version 1.7.4.

Autopilot

  • Autopilot is not currently supported on DR Secondary clusters, or in Integrated Storage's HA-only mode.
  • If the IP address in the raft peer list is different from the configured cluster address, autopilot may be unable to determine the leader node. If affected, you should disabled autopilot by setting the VAULT_RAFT_AUTOPILOT_DISABLE environment variable to 1.

Transform Storage Upgrades Fixed

The Transform Secrets Engine storage upgrade introduced in 1.6.0 introduced malformed configuration for transformations configured earlier than 1.6.0, resulting in an error using these transformations if Vault is restarted after the upgrade. This issue exists on Vault 1.6.0 through 1.6.3, and is fixed in Vault 1.6.4 and 1.7.0. Transformations configured on 1.6.0 or higher are unaffected.

Lease Count Quota Invalidations on DR Secondaries Fixed

Lease count quota invalidation causes DR Secondaries to panic and experience a hard shutdown. This issue exists prior to Vault 1.6.6 and 1.7.4. It is fixed in Vault 1.6.6, 1.7.4, and 1.8.0.