Vault v1.0.2 Release Notes
Release Date: 2019-01-15 // over 5 years ago-
๐ SECURITY:
- When creating a child token from a parent with
bound_cidrs
, the list of CIDRs would not be propagated to the child token, allowing the child token to be used from any address.
๐ CHANGES:
- secret/aws: Role now returns
credential_type
instead ofcredential_types
to match role input. If a legacy role that can supply more than one credential type, they will be concatenated with a,
. - physical/dynamodb, autoseal/aws: Instead of Vault performing environment variable handling, and overriding static (config file) values if found, we use the default AWS SDK env handling behavior, which also looks for deprecated values. If you were previously providing both config values and environment values, please ensure the config values are unset if you want to use environment values.
- Namespaces (Enterprise): Providing "root" as the header value for
X-Vault-Namespace
will perform the request on the root namespace. This is equivalent to providing an empty value. Creating a namespace called "root" in the root namespace is disallowed.
๐ FEATURES:
- InfluxDB Database Plugin: Use Vault to dynamically create and manage InfluxDB users
๐ IMPROVEMENTS:
- auth/aws: AWS EC2 authentication can optionally create entity aliases by image ID [GH-5846]
- autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal [GH-5999]
- physical/foundationdb: TLS support added. [GH-5800]
๐ BUG FIXES:
- api: Fix a couple of places where we were using the
LIST
HTTP verb (necessary to get the right method into the wrapping lookup function) and not then modifying it to aGET
; although this is officially the verb Vault uses for listing and it's fully legal to use custom verbs, since many WAFs and API gateways choke on anything outside of RFC-standardized verbs we fall back toGET
[GH-6026] - autoseal/aws: Fix reading session tokens when AWS access key/secret key are also provided [GH-5965]
- command/operator/rekey: Fix help output showing
-delete-backup
when it should show-backup-delete
[GH-5981] - core: Fix bound_cidrs not being propagated to child tokens
- replication: Correctly forward identity entity creation that originates from performance standby nodes (Enterprise)
- secret/aws: Make input
credential_type
match the output type (string, not array) [GH-5972] - secret/cubbyhole: Properly cleanup cubbyhole after token revocation [GH-6006]
- secret/pki: Fix reading certificates on windows with the file storage backend [GH-6013]
- ui (enterprise): properly display perf-standby count on the license page [GH-5971]
- ui: fix disappearing nested secrets and go to the nearest parent when deleting a secret - [GH-5976]
- ui: fix error where deleting an item via the context menu would fail if the item name contained dots [GH-6018]
- ui: allow saving of kv secret after an errored save attempt [GH-6022]
- ui: fix display of kv-v1 secret containing a key named "keys" [GH-6023]
- When creating a child token from a parent with