Feature deprecation notice and plans
This announcement page is maintained and updated periodically to communicate important decisions made concerning End of Support(EoS) for Vault features as well as features we have removed or disabled from the product. We document the removal of features, enable the community with a plan and timeline for eventual deprecations, and supply alternative paths to explore and evaluate to minimize business disruptions. If you have questions or concerns about a deprecated feature, please create a topic on the community forum or raise a ticket with your support team. Please refer to the FAQ page for frequently asked questions concerning Vault feature deprecations.
Deprecation Announcement: This indicates the release version during which the announcement was made to deprecate a feature.
End of Support: This indicates when a deprecated feature becomes unsupported. Consult the table below and consider the timeline provided to upgrade. If you use Vault Enterprise and require help with a deprecated feature, the Vault Support Team will provide limited support. However, we will not provide software patches or bug fixes. Refer to the HashiCorp Support Policy to understand our product support timeline.
Feature Removal: This indicates that the feature is completely removed/disabled from the product.
Note: All specified targeted version announcements for End of Support and Feature Removal may be subject to change.
| Feature | Deprecation announcement | End of Support | Feature Removal | Migration Path/Impact | Resources |
|---|---|---|---|---|---|
| Vault Enterprise storage backend | N/A | v1.12 | N/A | Use Integrated Storage or Consul as your Vault's storage backend. Vault Enterprise will no longer start up if configured to use a storage backend other than Integrated Storage or Consul. | Upgrade Guide |
| Vault generation of Dynamic SSH Keys | v0.7.1 | N/A | v1.13 | Use the alternative signed SSH certificates feature which supports key pair generation as of Vault 1.12. SSH certificates do not require an external connection from Vault to provision the key/certificate and more secure than having Vault provision dynamic SSH keys. | SSH Certificates |
| Duplicative Docker Images | v1.12 | 1.13 | v1.14 | Upon feature removal, the vault Docker image will no longer be updated. Only the Verified Publisher hashicorp/vault image will be updated on DockerHub. Users of Official Images will need to use docker pull hashicorp/vault:<version> instead of docker pull vault:version to get newer versions of Vault in Docker images. Currently, HashiCorp publishes and updates identical Docker images of Vault as Verified Publisher and Official images separately. | The Verified Publisher Program |
| Etcd V2 API (OSS) | v1.9 | N/A | v1.10 | The Etcd v2 has been deprecated with the release of Etcd v3.5, and will be decomissioned by Etcd v3.6. Etcd v2 API has been removed in Vaut 1.10. Users of Etcd storage backend must migrate Vault storage to an Etcd V3 cluster prior to upgrading to Vault 1.10. All storage migrations should be backed up prior to migration. | Etcd Storage Backend |
| Licenses in storage (ENT) | v1.8 | v1.10 | v1.11 | Migrate to Autoloading by v1.11. | Vault License System Backend FAQ |
| Mount Filters (ENT) | v1.3 | v1.10 | v1.11 | Use the alternative feature: Path Filters. | API Deprecation Notice Filter Mount Replication Deprecation Notice |
| Legacy MFA (OSS) | v1.0 | N/A | v1.11 | Based on your use case, use the Policy-based Enterprise MFA or Login MFA supported in Vault OSS as of v1.10. | Multi-Factor Authentication |
| *Standalone DB Engines (OSS) | v0.8 | N/A | v1.13 | Use the alternative DB secrets engine feature. | DB secrets engine |
| *AppID (OSS) | v0.6 | N/A | v1.13 | Use the alternative feature: AppRole auth method. | AppID Auth Method Deprecation Notice |
| AAD Graph on Azure Secrets Engine | v1.10 | 1.11 | v1.12 | Microsoft will end its support of the AAD Graph API on June 30, 2022. Support for Microsoft Graph API was introduced in Vault 1.9. If your Vault deployment is on a prior release, you may use the Azure Secrets Engine as an external plugin while you plan to upgrade. | AAD (Azure Active Directory |
Optional api_token parameter in Okta Auth Method | v1.4 | 1.11 | v1.12 | The api_token parameter on the Okta Auth Method will change from being optional to being required. | API Documentation |
| SHA-1 certificate signing | v1.11 | v1.11 | v1.12 | Go version 1.18 removes support for SHA-1 by default. As Vault updates its Go version to 1.18, you should plan to move off SHA-1 for certficate signing. Operators can set a Go environmental variable to restore SHA-1 support if they need to continue using SHA-1. It is unknown at this time when Go will remove the environmental variable support. Therefore, we highly encourage you to migrate off of SHA-1 for certificate signing. | FAQ |
| Consul secrets engine parameter changes | v1.11 | N/A | N/A | The policies parameter on the Consul secrets engine has been changed in favor of consul_policies. The token_type and policy parameters have been deprecated as the latest versions of Consul no longer support the older ACL system they were used for. | Consul secrets engine API documentation |
*If you use Standalone DB Engines or AppID (OSS), you should actively plan to migrate away from their usage. If you use these features and upgrade to Release 1.12, Vault will log error messages and shut down, and any attempts to add new mounts will result in an error.
This behavior may temporarily be overridden when starting the Vault server by using the VAULT_ALLOW_PENDING_REMOVAL_MOUNTS environment variable until they are officially removed in Vault version 1.13.
If you are still using these deprecated features and attempt to upgrade to 1.13 (the target feature removal timeframe), you will not be able to start up Vault without downgrading and migrating away from these features.