Vault
Vault 1.9.0 release notes
Software Release Date: November 19, 2021
Summary: This document captures major updates as part of Vault release 1.9.0, including new features, breaking changes, enhancements, deprecation, and EOL plans. Refer to the Changelog for additional changes made within the Vault 1.9 release.
New features
This section describes the new features introduced as part of Vault 1.9.0.
Client count improvements
Several improvements to client count were made to help customers better track and identify client attribution and reduce overcomputing.
Improved computation of client counts and usability within the usage metrics UI
The improvements made include the following:
- New logic enables de-duplication of non-entity tokens, thereby reducing their contribution towards the client count
- New logic allows entities to be created for local auth mounts, thereby eliminating non-entity-tokens being issued by the local auth mounts and reducing the overall client count
- Eliminates root tokens from the client count aggregate
- Displays client counts per namespace (top ten, descending order by attribution) in the usage metrics UI with the ability to export data for all namespaces
- Displays clients earlier than a month in the usage metrics UI (within ten minutes since initiation of computation)
Advanced data protection module (ADP) enhancements
The following section provides details about the ADP module features added in this release.
Advanced I/O handling for tranform FPE (ADP-Transform)
Users of the Format Preserving Encryption (FPE) feature of ADP Transform will now benefit from increased flexibility with regards to formatting the input and output of their data. Transformation templates are receiving two new fields- encode_format and decode_formats -that allow users to specify and format individual capturing groups within the regular expressions that define their formats.
MS SQL TDE (ADP-KM)
We added support to Vault Enterprise for customers who want Vault to manage encryption keys for Transparent Data Encryption on MSSQL servers.
Key management Secrets(KMS) engine - GCP (ADP-KM)
The KMS Engine for GCP provides key management via the Google Cloud KMS to assist with automating many GCP key management functions.
Other features and enhancements
This section describes other features and enhancements introduced as part of the Vault 1.9 release.
Vault agent improvements
Improvements were made to the Vault Agent Cache to ensure that consul-template is always routed through the Vault Agent cache, therefore, eliminating the need for listeners to be defined in the Vault Agent for just templating.
Customized username generation for database dynamic credentials
This feature enables customization of username for database dynamic credentials. This feature helps customers better manage and correlate usernames for various actions such as troubleshooting, etc. Vault 1.9 supports Postgres, MSSQL, MySQL, Oracle, MongoDB.
Customizable HTTP headers for Vault
This feature allows security operators to configure custom response headers to HTTP root path (/
) and API endpoints (/v1/*
), in addition to the previously supported UI paths through the server HCL configuration file.
Support for IBM s390X CPU architecture
This feature adds support for Vault to run on the IBM s390x architecture via the equivalent binary.
Namespace API lock
This feature allows namespace administrators to flexibly control operations such as locking APIs from child namespaces to which they have access. This enables them to restrict access to their domain in a multi-tenant environment and perform break-glass procedures in times of emergency to protect a cluster from within their child namespace.
Vault terraform provider v3
We have upgraded the Vault Terraform Provider to the latest version of the Terraform Plugin SDKv2 to leverage new features.
Azure secrets engine
The following enhancement are included:
- Added
use_microsoft_graph_api
configuration parameter is added to use with Microsoft Graph API. We are targeting to remove Azure Active Directory API by June 30, 2022. - Rotate root API is now available to rotate client_secret immediately after configuration.
Customized metadata for KV
This enhancement provides the ability to set version-agnostic custom key metadata for Vault KVv2 secrets via a metadata endpoint. This custom metadata is also visible in the UI.
UI enhancements
Expanding the UI for more DB secrets engines
We have been adding support for DB secrets engines in the UI over the past few releases. In the Vault 1.9 release, we have added support for Oracle and ElasticSearch and PostgresSQL database secrets engines in the UI.
PKI certificate metadata
The PKI Secrets Engine now displays additional PKI certificate metadata in the UI, such as date issued, date of expiry, serial number, and subject/name.
Tech preview features
KV secrets engine v2 patch operations
This feature provides a more streamlined method for managing KV v2 secrets, enabling customers to better maintain least privilege security in automated environments. This feature allows performing partial updates to KV v2 secrets without requiring to read the full KV secret's key/value pairs.
Vault as an OIDC provider
Vault can now act as an OIDC Provider so applications can leverage the pre-existing Vault identities to authenticate into applications.
Breaking changes
The following section details breaking changes introduced in Vault 1.9.
Removal of HTTP request counters
In Vault 1.9, the internal HTTP Request count API was removed from the product. Calls to the endpoint will result in a 404 error with a message stating that functionality on this path has been removed. Please refer to the upgrade guide for more information.
As called out in the documentation, Vault does not make backwards compatible guarantees on internal APIs (those prefaced with sys/internal
). They are subject to change and may disappear without notice.
Feature deprecations and EOL
Please refer to the Deprecation Plans and Notice page for up-to-date information on feature deprecations and plans. An FAQ page is also available to address questions concerning decisions made about Vault feature deprecations.