Vault
Overview
This page contains the list of deprecations and important or breaking changes for Vault 1.5.0 compared to 1.4.1. Please read it carefully.
Google Cloud storage credentials_file
removed
The deprecated credentials_file
config option has been removed. The GOOGLE_APPLICATION_CREDENTIALS
environment variable or default credentials may be used instead. See
GCS Authentication
for details on supported options.
Raft configuration
A new Raft configuration value, max_entry_size
, has been introduced. This value
limits the size in bytes for a Raft KV entry. It applies to both put operations and
transactions. Any put or transaction operation exceeding this configuration value
will cause the respective operation to fail. The default value for this
configuration is 1MiB.
In addition, a new metric has been introduced, vault.raft-storage.entry_size
,
that allows for operators to sample the entry size, view the average, and adjust
the configuration value as necessary. For additional details, please see
Raft configuration.
Enabling telemetry on 32-bit systems will cause Vault to crash.
A workaround for this issue is to disable collection of usage gauges in the telemetry stanza of the configuration.
telemetry {
...
usage_gauge_period = "none"
}
This will suppress the metrics vault.identity.entity.count
,
vault.identity.entity.alias.count
, vault.token.count
, vault.token.count.by_auth
,
vault.token.count.by_policy
, vault.token.count.by_ttl
and vault.secret.kv.count
that were introduced in version 1.5.0, but all other Vault telemetry will remain available.
Zero-length keys in key-value stores will cause Vault to crash.
A key-value data store might have a zero-length key, created before the request handling was modified to make this operation impossible. The metrics collection process crashes if it encounters this while counting the number of KV secrets.
A workaround for this issue is to disable collection of usage gauges in the telemetry stanza of the configuration.
telemetry {
...
usage_gauge_period = "none"
}
This will disable all the metrics listed in the previous section. Or, set the environment value
VAULT_DISABLE_KV_GAUGE
, which will disable only vault.secret.kv.count
.
Non-string values in seal config prevent startup
Any values in the Seal configuration stanza that are not quoted strings yield a parse error of the form:
error loading "/etc/vault.d/config_seal.hcl": error parsing 'seal': seal.pkcs11: unable to parse 'purpose' in kms type "pkcs11": value could not be parsed as string
The error is not actually with the purpose
field, but rather with other config fields such as:
mechanism = 0x1082
The workaround is to quote the strings in question, as in:
mechanism = "0x1082"
Okta auth with > 200 groups
In 1.4.0 Vault started using the official Okta Go client library. Unlike the previous Okta library it used, the official library doesn't automatically handle pagination when there are more than 200 groups listed. If a user associated with more than 200 Okta groups logs in, only 200 of them will be seen by Vault. The fix is #9580 and will eventually appear in 1.4.x and 1.5.x point releases.
AWS instance metadata timeout
In 1.4.0 Vault started using an updated AWS Go SDK which had support for v2 of the EC2 instance metadata service. However, due to the way the SDK was configured in Vault, there can be a delay of around 2 minutes when Vault relies on the instance metadata service for credentials. A fix that reduces the delay went into 1.5.5: #10133.