HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.16.x. View latest version.

Overview

This page contains the list of deprecations and important or breaking changes for Vault 1.5.0 compared to 1.4.1. Please read it carefully.

Google Cloud storage credentials_file removed

The deprecated credentials_file config option has been removed. The GOOGLE_APPLICATION_CREDENTIALS environment variable or default credentials may be used instead. See GCS Authentication for details on supported options.

Raft configuration

A new Raft configuration value, max_entry_size, has been introduced. This value limits the size in bytes for a Raft KV entry. It applies to both put operations and transactions. Any put or transaction operation exceeding this configuration value will cause the respective operation to fail. The default value for this configuration is 1MiB.

In addition, a new metric has been introduced, vault.raft-storage.entry_size, that allows for operators to sample the entry size, view the average, and adjust the configuration value as necessary. For additional details, please see Raft configuration.

Enabling telemetry on 32-bit systems will cause Vault to crash.

A workaround for this issue is to disable collection of usage gauges in the telemetry stanza of the configuration.

telemetry {
  ...
  usage_gauge_period = "none"
}

This will suppress the metrics vault.identity.entity.count, vault.identity.entity.alias.count, vault.token.count, vault.token.count.by_auth, vault.token.count.by_policy, vault.token.count.by_ttl and vault.secret.kv.count that were introduced in version 1.5.0, but all other Vault telemetry will remain available.

Zero-length keys in key-value stores will cause Vault to crash.

A key-value data store might have a zero-length key, created before the request handling was modified to make this operation impossible. The metrics collection process crashes if it encounters this while counting the number of KV secrets.

A workaround for this issue is to disable collection of usage gauges in the telemetry stanza of the configuration.

telemetry {
  ...
  usage_gauge_period = "none"
}

This will disable all the metrics listed in the previous section. Or, set the environment value VAULT_DISABLE_KV_GAUGE, which will disable only vault.secret.kv.count.

Non-string values in seal config prevent startup

Any values in the Seal configuration stanza that are not quoted strings yield a parse error of the form:

error loading "/etc/vault.d/config_seal.hcl": error parsing 'seal': seal.pkcs11: unable to parse 'purpose' in kms type "pkcs11": value could not be parsed as string

The error is not actually with the purpose field, but rather with other config fields such as:

 mechanism = 0x1082

The workaround is to quote the strings in question, as in:

 mechanism = "0x1082"

Okta auth with > 200 groups

In 1.4.0 Vault started using the official Okta Go client library. Unlike the previous Okta library it used, the official library doesn't automatically handle pagination when there are more than 200 groups listed. If a user associated with more than 200 Okta groups logs in, only 200 of them will be seen by Vault. The fix is #9580 and will eventually appear in 1.4.x and 1.5.x point releases.

AWS instance metadata timeout

In 1.4.0 Vault started using an updated AWS Go SDK which had support for v2 of the EC2 instance metadata service. However, due to the way the SDK was configured in Vault, there can be a delay of around 2 minutes when Vault relies on the instance metadata service for credentials. A fix that reduces the delay went into 1.5.5: #10133.