Deprecation notices

Vault implements a multi-phased approach to deprecations to provide users with advanced warning, minimize business disruptions, and allow for the safe handling of data affected by a feature removal.

Have questions?

If you have questions or concerns about a deprecated feature, please create a topic on the Vault community forum or raise a ticket with your support team.

Recent announcements

The Vault Support Team can provide limited help with a deprecated feature. Limited support includes troubleshooting solutions and workarounds but does not include software patches or bug fixes. Refer to the HashiCorp Support Policy for more information on the product support timeline.

Ruby client libraries

Announced	Expected end of support	Expected removal
APR 2024	APR 2025	N/A

If you are interested in assuming ownership and providing future maintenance:

Fork the relevant GitHub repo: hashicorp/vault-ruby or hashicorp/vault-rails.
Open a GitHub issue in the relevant repo, mention the deprecation notice, and indicate your desire to take over the project.

We are currently assessing the relevant repos

Once we have reviewed the relevant repos and the issues submitted for ownership, we will update the information for our community-supported libraries.

Active Directory secrets engine

Announced	Expected end of support	Expected removal
MAR 2023	CY24 Q3	CY25 Q1

The Active Directory secrets engine is deprecated. We recommend migrating your Active Directory calls to use the LDAP Secrets Engine with the ad schema.

Vault Agent API proxy

Announced	Expected end of support	Expected removal
JUN 2023	APR 2024	CY26 Q2

Built-in API proxy support for Vault Agent is deprecated. We recommend migrating to Vault Proxy if you require proxy functionality.

Centrify auth method

Announced	Expected end of support	Expected removal
SEP 2023	CY24 Q2	CY24 Q2

The Centrify auth method can still be used as an external plugin, but Vault no longer provides official support for the plugin.

Duplicative Docker images

Announced	Expected end of support	Expected removal
OCT 2022	MAR 2023	JUN 2023

Previously, HashiCorp published and updated separate, identical Docker images of Vault as a Verified Publisher image and Official image. As of v1.12, Vault no longer supports the vault Docker image and will remove all duplicative Vault Docker images. To continue receiving updates, you will need to use the Verified Publisher hashicorp/vault image on DockerHub.

Include the version when pulling images

Use docker pull hashicorp/vault:<version> instead of docker pull vault:version to get newer versions of Vault in Docker images.

AWS secrets engine field change

Announced	Expected end of support	Expected removal
APR 2024	N/A	N/A

The security_token field returned for AssumeRole and FederationToken credentials is deprecated in favor of session_token.

For more information, consult the AWS secrets engine API documentation.

Azure secrets password policy

Announced	Expected end of support	Expected removal
N/A	APR 2024	N/A

The password_policy field for the Azure secrets plugin is deprecated. The MS Graph API now returns passwords to the client rather than accepting passwords as part of the request. As a result, the password_policy field is unusable.

For more information, consult the Microsoft documentation for MS GRAPH APP API and MS GRAPH SP API.

Deprecation phases

The lifecycle of a Vault feature or plugin includes 4 phases:

supported - generally available (GA), functioning as expected, and under active maintenance
deprecated - marked for removal in a future release
pending removal - support ended or replaced by another feature
removed - end of lifecycle

Deprecated

"Deprecated" is the first phase of the deprecation process and indicates that the feature is marked for removal in a future release. When you upgrade Vault, newly deprecated features will begin alerting that the feature is deprecated:

Built-in authentication and secrets plugins log Warn-level messages on unseal.
All deprecated features log Warn-level messages.
All POST, GET, and LIST endpoints associated with the feature return warnings in response data.

Built-in Vault authentication and secrets plugins also expose their deprecation status through the Vault CLI and Vault API.

CLI command	API endpoint
N/A	`/sys/plugins/catalog`
`vault plugin info auth <PLUGIN_NAME>`	`/sys/plugins/catalog/auth/:name`
`vault plugin info secret <PLUGIN_NAME>`	`/sys/plugins/catalog/secret/:name`

Pending removal

"Pending removal" is the second phase of the deprecation process and indicates that the feature behavior is fundamentally altered in the following ways:

Built-in authentication and secrets plugins log Error-level messages and cause an immediate shutdown of the Vault core.
All features pending removal fail and log Error-level messages.
All CLI commands and API endpoints associated with the feature fail and return errors.

Use with caution

In critical situations, you may be able to override the pending removal behavior with the VAULT_ALLOW_PENDING_REMOVAL_MOUNTS environment variable, which forces Vault to treat some features that are pending removal as if they were still only deprecated.

Removed

"Removed" is the last phase of the deprecation process and indicates that the feature is no longer supported and no longer exists within Vault.

Migrate from deprecated features

Features in the "pending removal" and "removed" phases will fail, log errors, and, for built-in authentication or secret plugins, cause an immediate shutdown of the Vault core.

Migrate away from a deprecated feature and successfully upgrade to newer Vault versions, you must eliminate the deprecated features:

Downgrade Vault to a previous version if necessary.
Replace any "Removed" or "Pending removal" feature with the recommended alternative.
Upgrade to latest desired version.