Deprecation notices
Vault implements a multi-phased approach to deprecations to provide users with advanced warning, minimize business disruptions, and allow for the safe handling of data affected by a feature removal.
Have questions?
If you have questions or concerns about a deprecated feature, please create a topic on the Vault community forum or raise a ticket with your support team.
Recent announcements
The Vault Support Team can provide limited help with a deprecated feature. Limited support includes troubleshooting solutions and workarounds but does not include software patches or bug fixes. Refer to the HashiCorp Support Policy for more information on the product support timeline.
Ruby client libraries
Announced | Expected end of support | Expected removal |
---|---|---|
APR 2024 | APR 2025 | N/A |
If you are interested in assuming ownership and providing future maintenance:
- Fork the relevant GitHub repo: hashicorp/vault-ruby or hashicorp/vault-rails.
- Open a GitHub issue in the relevant repo, mention the deprecation notice, and indicate your desire to take over the project.
We are currently assessing the relevant repos
Once we have reviewed the relevant repos and the issues submitted for ownership, we will update the information for our community-supported libraries.
Active Directory secrets engine
Announced | Expected end of support | Expected removal |
---|---|---|
MAR 2023 | CY24 Q3 | CY25 Q1 |
The Active Directory secrets engine is deprecated. We recommend
migrating your Active Directory calls
to use the LDAP Secrets Engine with the ad
schema.
Deprecation phases
The lifecycle of a Vault feature or plugin includes 4 phases:
- supported - generally available (GA), functioning as expected, and under active maintenance
- deprecated - marked for removal in a future release
- pending removal - support ended or replaced by another feature
- removed - end of lifecycle
Deprecated
"Deprecated" is the first phase of the deprecation process and indicates that the feature is marked for removal in a future release. When you upgrade Vault, newly deprecated features will begin alerting that the feature is deprecated:
- Built-in authentication and secrets plugins log
Warn
-level messages on unseal. - All deprecated features log
Warn
-level messages. - All
POST
,GET
, andLIST
endpoints associated with the feature return warnings in response data.
Built-in Vault authentication and secrets plugins also expose their deprecation status through the Vault CLI and Vault API.
CLI command | API endpoint |
---|---|
N/A | /sys/plugins/catalog |
vault plugin info auth <PLUGIN_NAME> | /sys/plugins/catalog/auth/:name |
vault plugin info secret <PLUGIN_NAME> | /sys/plugins/catalog/secret/:name |
Pending removal
"Pending removal" is the second phase of the deprecation process and indicates that the feature behavior is fundamentally altered in the following ways:
- Built-in authentication and secrets plugins log
Error
-level messages and cause an immediate shutdown of the Vault core. - All features pending removal fail and log
Error
-level messages. - All CLI commands and API endpoints associated with the feature fail and return errors.
Use with caution
In critical situations, you may be able to override the pending removal behavior with the
VAULT_ALLOW_PENDING_REMOVAL_MOUNTS
environment variable, which forces Vault to treat some features that are pending
removal as if they were still only deprecated.
Removed
"Removed" is the last phase of the deprecation process and indicates that the feature is no longer supported and no longer exists within Vault.
Migrate from deprecated features
Features in the "pending removal" and "removed" phases will fail, log errors, and, for built-in authentication or secret plugins, cause an immediate shutdown of the Vault core.
Migrate away from a deprecated feature and successfully upgrade to newer Vault versions, you must eliminate the deprecated features:
- Downgrade Vault to a previous version if necessary.
- Replace any "Removed" or "Pending removal" feature with the recommended alternative.
- Upgrade to latest desired version.