Vault
Overview
This page contains the list of deprecations and important or breaking changes for Vault 1.2.0 compared to 1.1.0. Please read it carefully.
Known issues
AppRole upgrade issue
Due to a bug, on upgrade AppRole roles cannot be read properly. If using AppRole, do not upgrade until this issue is fixed in 1.2.1.
Changes/Deprecations
Path character handling
Due to underlying changes in Go's runtime past version 1.11.5, Vault is now
stricter about what characters it will accept in path names. Whereas before it
would filter out unprintable characters (and this could be turned off), control
characters and other invalid characters are now rejected within Go's HTTP
library before the request is passed to Vault, and this cannot be disabled. To
continue using these (e.g. for already-written paths), they must be properly
percent-encoded (e.g. \r
becomes %0D
, \x00
becomes %00
, and so on).
AWSKMS seal region
The user-configured regions on the AWSKMS seal stanza will now be preferred over regions set in the enclosing environment.
Audit logging of empty values
All values in audit logs now are omitted if they are empty. This helps reduce the size of audit log entries by not reproducing keys in each entry that commonly don't contain any value, which can help in cases where audit log entries are above the maximum UDP packet size and others.
Rollback logging
Rollback will no longer display log messages when it runs; it will only display messages if an error occurs.
Database plugins
Database plugins now default to 4 max open connections rather than 2. This should be safe in nearly all cases and fixes some issues where a single operation could fail with the default configuration because it needed three connections just for that operation. However, this could result in an increase in held open file descriptors for each database configuration, so ensure that there is sufficient overhead.
AppRole various changes
- AppRole uses new, common token fields for values that overlap with other auth
methods.
period
andpolicies
will continue to work, with priority being given to thetoken_
prefixed versions of these fields, but the values for those will only be returned on read if they were set initially. default
is no longer automatically added to policies after submission. It was a no-op anyways since Vault's core would always add it, and changing this behavior allows AppRole to support the newtoken_no_default_policy
parameter- The long-deprecated
bound_cidr_list
is no longer returned when reading a role.
Token store roles changes
Token store roles use new, common token fields for the values that overlap with
other auth backends. period
, explicit_max_ttl
, and bound_cidrs
will
continue to work, with priority being given to the token_
prefixed versions
of those parameters. They will also be returned when doing a read on the role
if they were used to provide values initially; however, in Vault 1.4 if
period
or explicit_max_ttl
is zero they will no longer be returned.
(explicit_max_ttl
was already not returned if empty.)
Go API/SDK changes
Vault now uses Go's official dependency management system, Go Modules, to
manage dependencies. As a result to both reduce transitive dependencies for API
library users and plugin authors, and to work around various conflicts, we have
moved various helpers around, mostly under an sdk/
submodule. A couple of
functions have also moved from plugin helper code to the api/
submodule. If
you are a plugin author, take a look at some of our official plugins and the
paths they are importing for guidance.
Change in LDAP group CN handling
A bug fix put in place in Vault 1.1.1 to allow group CNs to be found from an
LDAP server in lowercase cn
as well as uppercase CN
had an unintended
consequence. If prior to that a group used cn
, as in cn=foo,ou=bar
then the
group that would need to be put into place in the LDAP plugin to match against
policies is cn=foo,ou=bar
since the CN would not be correctly found. After
the change, the CN was correctly found, but this would result in the group name
being parsed as foo
and would not match groups using the full DN. In 1.1.5+,
there is a boolean config setting use_pre111_group_cn_behavior
to allow
reverting to the old matching behavior; we also attempt to upgrade exiting
configs to have that defaulted to true.
JWT/OIDC plugin
Logins of role_type "oidc" via the /login path are no longer allowed.
ACL wildcards
New ordering put into place in Vault 1.1.1 defines which policy wins when there
are multiple inexact matches and at least one path contains +
. +*
is now
illegal in policy paths. The previous behavior simply selected any matching
segment-wildcard path that matched.
Replication
Due to technical limitations, mounting and unmounting was not previously possible from a performance secondary. These have been resolved, and these operations may now be run from a performance secondary.