Vault
Overview
This page contains the list of deprecations and important or breaking changes for Vault 1.7.x compared to 1.6. Please read it carefully.
Go version
Vault 1.7.8 and higher are built with Go 1.16. Please review the Go Release Notes for full details. Vault 1.7.0-1.7.7 are built with Go 1.15.
Barrier key Auto-Rotation
If your Vault installation is at least a year old, the barrier key will be
automatically rotated once, and then subsequently will be rotated per the
settings in the new sys/rotate/config
endpoint. This is a precaution to
ensure the number of encryptions performed by the barrier key is fewer than that
recommended by
NIST SP 800-38D.
AWS auth endpoint changes and deprecations
AWS Auth concepts and endpoints that use the "whitelist" and "blacklist" terms
have been updated to more inclusive language (e.g. /auth/aws/identity-whitelist
has been
updated to/auth/aws/identity-accesslist
). The old and new endpoints are aliases,
sharing the same underlying data. The legacy endpoint names are considered deprecated
and will be removed in a future release (not before Vault 1.9). The complete list of
endpoint changes is available in the AWS Auth API docs.
Alpine 3.14
Docker images for Vault 1.6.6+, 1.7.4+, and 1.8.2+ are built with Alpine 3.14, due to a security issue in Alpine 3.13 (CVE-2021-36159). Some users on older versions of Docker may run into issues with these images. See the following for more details:
- https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2
- https://about.gitlab.com/blog/2021/08/26/its-time-to-upgrade-docker-engine/
Entity alias mapping
Previously, an entity in Vault could be mapped to multiple entity aliases on the same authentication backend. This led to a potential security vulnerability (CVE-2021-43998), as ACL policies templated with alias information would match the first alias created. Thus, tokens created from all aliases of the entity, will have access to the paths containing alias metadata of the first alias due to templated policies being incorrectly applied. As a result, the mapping behavior was updated such that an entity can only have one alias per authentication backend. This change exists in Vault 1.9.0+, 1.8.5+ and 1.7.6+.
Known issues
Due to the known issue, Transform Secrets Engine users are recommended to upgrade to version 1.7.0. Due to the known issue, Lease Count Quota users with DR Secondaries are recommended to upgrade to version 1.7.4.
Autopilot
- Autopilot is not currently supported on DR Secondary clusters, or in Integrated Storage's HA-only mode.
- If the IP address in the raft peer list is different from the configured
cluster address, autopilot may be unable to determine the leader node. If
affected, you should disabled autopilot by setting the
VAULT_RAFT_AUTOPILOT_DISABLE
environment variable to 1.
Transform storage upgrades fixed
The Transform Secrets Engine storage upgrade introduced in 1.6.0 introduced malformed configuration for transformations configured earlier than 1.6.0, resulting in an error using these transformations if Vault is restarted after the upgrade. This issue exists on Vault 1.6.0 through 1.6.3, and is fixed in Vault 1.6.4 and 1.7.0. Transformations configured on 1.6.0 or higher are unaffected.
Lease count quota invalidations on DR secondaries fixed
Lease count quota invalidation causes DR Secondaries to panic and experience a hard shutdown. This issue exists prior to Vault 1.6.6 and 1.7.4. It is fixed in Vault 1.6.6, 1.7.4, and 1.8.0.