Vault
Overview
This page contains the list of deprecations and important or breaking changes for Vault 0.9.1 compared to 0.9.0. Please read it carefully.
AppRole case sensitivity
In prior versions of Vault, list
operations against AppRole roles would
require preserving case in the role name, even though most other operations
within AppRole are case-insensitive with respect to the role name. This has
been fixed; existing roles will behave as they have in the past, but new roles
will act case-insensitively in these cases.
Token auth backend roles parameter types
For allowed_policies
and disallowed_policies
in role definitions in the
token auth backend, input can now be a comma-separated string or an array of
strings. Reading a role will now return arrays for these parameters.
Transit key exporting
You can now mark a key in the transit
backend as exportable
at any time,
rather than just at creation time; however, once this value is set, it still
cannot be unset.
PKI secret backend roles parameter types
For allowed_domains
and key_usage
in role definitions in the PKI secret
backend, input can now be a comma-separated string or an array of strings.
Reading a role will now return arrays for these parameters.
SSH dynamic keys method defaults to 2048-bit keys
When using the dynamic key method in the SSH backend, the default is now to use 2048-bit keys if no specific key bit size is specified.
Consul secret backend lease handling
The consul
secret backend can now accept both strings and integer numbers of
seconds for its lease value. The value returned on a role read will be an
integer number of seconds instead of a human-friendly string.
Unprintable characters not allowed in API paths
Unprintable characters are no longer allowed in names in the API (paths and path parameters), with an extra restriction on whitespace characters. Allowed characters are those that are considered printable by Unicode plus spaces.