Vault v1.0.3 Release Notes

Release Date: 2019-02-12 // about 5 years ago
  • ๐Ÿ”„ CHANGES:

    • New AWS authentication plugin mounts will default to using the generated role ID as the Identity alias name. This applies to both EC2 and IAM auth. Existing mounts that explicitly set this value will not be affected but mounts that specified no preference will switch over on upgrade.
    • The default policy now allows a token to look up its associated identity entity either by name or by id [GH-6105]
    • The Vault UI's navigation and onboarding wizard now only displays items that are permitted in a users' policy [GH-5980, GH-6094]
    • An issue was fixed that caused recovery keys to not work on secondary clusters when using a different unseal mechanism/key than the primary. This would be hit if the cluster was rekeyed or initialized after 1.0. We recommend rekeying the recovery keys on the primary cluster if you meet the above requirements.

    ๐Ÿ”‹ FEATURES:

    • cURL Command Output: CLI commands can now use the -output-curl-string flag to print out an equivalent cURL command.
    • Response Headers From Plugins: Plugins can now send back headers that will be included in the response to a client. The set of allowed headers can be managed by the operator.

    ๐Ÿ‘Œ IMPROVEMENTS:

    • auth/aws: AWS EC2 authentication can optionally create entity aliases by role ID [GH-6133]
    • auth/jwt: The supported set of signing algorithms is now configurable [JWT plugin GH-16]
    • core: When starting from an uninitialized state, HA nodes will now attempt to auto-unseal using a configured auto-unseal mechanism after the active node initializes Vault [GH-6039]
    • secret/database: Add socket keepalive option for Cassandra [GH-6201]
    • secret/ssh: Add signed key constraints, allowing enforcement of key types and minimum key sizes [GH-6030]
    • secret/transit: ECDSA signatures can now be marshaled in JWS-compatible fashion [GH-6077]
    • storage/etcd: Support SRV service names [GH-6087]
    • storage/aws: Support specifying a KMS key ID for server-side encryption [GH-5996]

    ๐Ÿ› BUG FIXES:

    • core: Fix a rare case where a standby whose connection is entirely torn down to the active node, then reconnects to the same active node, may not successfully resume operation [GH-6167]
    • cors: Don't duplicate headers when they're written [GH-6207]
    • identity: Persist merged entities only on the primary [GH-6075]
    • replication: Fix a potential race when a token is created and then used with a performance standby very quickly, before an associated entity has been replicated. If the entity is not found in this scenario, the request will forward to the active node.
    • replication: Fix issue where recovery keys would not work on secondary clusters if using a different unseal mechanism than the primary.
    • replication: Fix a "failed to register lease" error when using performance standbys
    • storage/postgresql: The Get method will now return an Entry object with the Key member correctly populated with the full path that was requested instead of just the last path element [GH-6044]