All Versions
171
Latest Version
Avg Release Cycle
26 days
Latest Release
-

Changelog History
Page 1

  • v1.13.0 Changes

    πŸš€ Unreleased

    πŸ”„ CHANGES:

    • auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [GH-17768]
    • auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users. This will only be used internally for implementing user lockout. [GH-17104]
    • core: Bump Go version to 1.19.2.
    • πŸ”Œ plugins: GET /database/config/:name endpoint now returns an additional plugin_version field in the response data. [GH-16982]
    • πŸ”Œ plugins: GET /sys/auth/:path/tune and GET /sys/mounts/:path/tune endpoints may now return an additional plugin_version field in the response data if set. [GH-17167]
    • πŸ”– plugins: GET for /sys/auth, /sys/auth/:path, /sys/mounts, and /sys/mounts/:path paths now return additional plugin_version, running_plugin_version and running_sha256 fields in the response data for each mount. [GH-17167]
    • secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls [GH-15869]
    • ⬆️ ui: Upgrade Ember to version 4.4.0 [GH-17086]

    πŸ”‹ FEATURES:

    • πŸ”§ core: Add user lockout field to config and configuring this for auth mount using auth tune to prevent brute forcing in auth methods [GH-17338]

    πŸ‘Œ IMPROVEMENTS:

    • ⬇️ Reduced binary size [GH-17678]
    • βœ… agent: fix incorrectly used loop variables in parallel tests and when finalizing seals [GH-16872]
    • api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
    • πŸ‘ auth/azure: Adds support for authentication with Managed Service Identity (MSI) from a Virtual Machine Scale Set (VMSS) in flexible orchestration mode. [GH-17540]
    • πŸ‘ cli: Add support for creating requests to existing non-KVv2 PATCH-capable endpoints. [GH-17650]
    • πŸ‘ cli: Support the -format=raw option, to read non-JSON Vault endpoints and original response bodies. [GH-14945]
    • πŸ”€ core/identity: Add machine-readable output to body of response upon alias clash during entity merge [GH-17459]
    • core: License location is no longer cache exempt, meaning sys/health will not contribute as greatly to storage load when using consul as a storage backend. [GH-17265]
    • ⚑️ core: Update protoc from 3.21.5 to 3.21.7 [GH-17499]
    • database/snowflake: Allow parallel requests to Snowflake [GH-17593]
    • πŸ”Œ plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
    • πŸ”Œ plugins: Allow selecting builtin plugins by their reported semantic version of the form vX.Y.Z+builtin or vX.Y.Z+builtin.vault. [GH-17289]
    • πŸ‘ sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]
    • ⚑️ secrets/aws: Update dependencies [PR-17747] [GH-17747]
    • ⬆️ secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [GH-17406]
    • secrets/pki: Add a new API that returns the serial numbers of revoked certificates on the local cluster [GH-17779]
    • πŸ‘ secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
    • secrets/pki: Return new fields revocation_time_rfc3339 and issuer_id to existing certificate serial lookup api if it is revoked [GH-17774]
    • secrets/ssh: Evaluate ssh validprincipals user template before splitting [GH-16622]
    • secrets/transit: Add associated_data parameter for additional authenticated data in AEAD ciphers [GH-17638]
    • secrets/transit: Add support for PKCSv1_5_NoOID RSA signatures [GH-17636]
    • storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [GH-12166]
    • sys/internal/inspect: Creates an endpoint to look to inspect internal subsystems.

    πŸ› BUG FIXES:

    • cli: Fix issue preventing kv commands from executing properly when the mount path provided by -mount flag and secret key path are the same. [GH-17679]
    • 🚚 cli: Remove empty table heading for vault secrets list -detailed output. [GH-17577]
    • πŸ‘ core/managed-keys (enterprise): Return better error messages when encountering key creation failures
    • βœ… core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
    • πŸ”§ core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [GH-17612]
    • core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
    • core: Fix vault operator init command to show the right curl string with -output-curl-string and right policy hcl with -output-policy [GH-17514]
    • ⚠ core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
    • πŸ”¨ core: Refactor lock grabbing code to simplify stateLock deadlock investigations [GH-17187]
    • πŸ‘ core: fix GPG encryption to support subkeys. [GH-16224]
    • 🐎 core: fix a start up race condition where performance standbys could go into a πŸ”€ mount loop if default policies are not yet synced from the active node. [GH-17801]
    • core: fix race when using SystemView.ReplicationState outside of a request context [GH-17186]
    • core: prevent memory leak when using control group factors in a policy [GH-17532]
    • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
    • login: Store token in tokenhelper for interactive login MFA [GH-17040]
    • πŸ”Œ openapi: fix gen_openapi.sh script to correctly load vault plugins [GH-17752]
    • πŸ”Œ plugins/kv: KV v2 returns 404 instead of 500 for request paths that incorrectly include a trailing slash. [GH-17339]
    • πŸ”Œ plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
    • secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [GH-17772]
    • secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
    • secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [GH-17693]
    • πŸ›  secrets/pki: Fixes duplicate otherName in certificates created by the sign-verbatim endpoint. [GH-16700]
    • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
    • 0️⃣ ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
    • πŸ‘· ui: Fixes issue with not being able to download raft snapshot via service worker [GH-17769]
    • πŸ’» ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
    • 🚚 ui: Remove default value of 30 to TtlPicker2 if no value is passed in. [GH-17376]

  • v1.12.1 Changes

    November 2, 2022

    πŸ‘Œ IMPROVEMENTS:

    • api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
    • database/snowflake: Allow parallel requests to Snowflake [GH-17593]
    • πŸ”Œ plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
    • πŸ‘ sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]

    πŸ› BUG FIXES:

    • 🚚 cli: Remove empty table heading for vault secrets list -detailed output. [GH-17577]
    • πŸ‘ core/managed-keys (enterprise): Return better error messages when encountering key creation failures
    • βœ… core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
    • core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
    • ⚠ core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
    • core: prevent memory leak when using control group factors in a policy [GH-17532]
    • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
    • kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
    • kmip (enterprise): Fix selection of Cryptographic Parameters for Encrypt/Decrypt operations.
    • login: Store token in tokenhelper for interactive login MFA [GH-17040]
    • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
    • πŸ’» ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]

  • v1.12.0 Changes

    October 13, 2022

    πŸ”„ CHANGES:

    • πŸ”Œ api: Exclusively use GET /sys/plugins/catalog endpoint for listing plugins, and add details field to list responses. [GH-17347]
    • πŸ—„ auth: GET /sys/auth/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • πŸ—„ auth: GET /sys/auth endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • πŸ—„ auth: POST /sys/auth/:type endpoint response contains a warning for Deprecated auth methods. [GH-17058]
    • auth: auth enable returns an error and POST /sys/auth/:type endpoint reports an error for Pending Removal auth methods. [GH-17005]
    • πŸ”€ core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
    • core: Bump Go version to 1.19.2.
    • core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
    • identity: a request to /identity/group that includes member_group_ids that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912]
    • ⬆️ licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license expiration time is before the build date of the binary.
    • πŸ”Œ plugins: Add plugin version to auth register, list, and mount table [GH-16856]
    • πŸ”Œ plugins: GET /sys/plugins/catalog/:type/:name endpoint contains deprecation status for builtin plugins. [GH-17077]
    • πŸ”Œ plugins: GET /sys/plugins/catalog/:type/:name endpoint now returns an additional version field in the response data. [GH-16688]
    • πŸ”Œ plugins: GET /sys/plugins/catalog/ endpoint contains deprecation status in detailed list. [GH-17077]
    • πŸ”Œ plugins: GET /sys/plugins/catalog endpoint now returns an additional detailed field in the response data with a list of additional plugin metadata. [GH-16688]
    • πŸ”Œ plugins: plugin info displays deprecation status for builtin plugins. [GH-17077]
    • πŸ”Œ plugins: plugin list now accepts a -detailed flag, which display deprecation status and version info. [GH-17077]
    • 🚚 secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [GH-17180]
    • secrets: All database-specific (standalone DB) secrets engines are now marked Pending Removal. [GH-17038]
    • πŸ—„ secrets: GET /sys/mounts/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • πŸ—„ secrets: GET /sys/mounts endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • πŸ—„ secrets: POST /sys/mounts/:type endpoint response contains a warning for Deprecated secrets engines. [GH-17058]
    • secrets: secrets enable returns an error and POST /sys/mount/:type endpoint reports an error for Pending Removal secrets engines. [GH-17005]

    πŸ”‹ FEATURES:

    • πŸ‘ GCP Cloud KMS support for managed keys: Managed keys now support using GCP Cloud KMS keys
    • LDAP Secrets Engine: Adds the ldap secrets engine with service account check-outΒ functionality for all supported schemas. [GH-17152]
    • OCSP Responder: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [GH-16723]
    • Redis DB Engine: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [GH-17070]
    • πŸ”Œ Redis ElastiCache DB Plugin: Added Redis ElastiCache as a built-in plugin. [GH-17075]
    • πŸ”Œ Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
    • Transform Key Import (BYOK): The transform secrets engine now supports importing keys for tokenization and FPE transformations
    • πŸ‘ HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with HashiCorp Cloud Platform as an opt-in feature
    • πŸ’» ui: UI support for Okta Number Challenge. [GH-15998]
    • πŸ”Œ Plugin Versioning: Vault supports registering, managing, and running plugins with semantic versions specified.

    πŸ‘Œ IMPROVEMENTS:

    • βœ… :core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
    • βœ… activity (enterprise): Added new clients unit tests to test accuracy of estimates
    • agent/auto-auth: Add exit_on_err which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091]
    • agent: Added disable_idle_connections configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986]
    • agent: Added disable_keep_alives configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]
    • agent: JWT auto auth now supports a remove_jwt_after_reading config option which defaults to true. [GH-11969]
    • agent: Send notifications to systemd on start and stop. [GH-9802]
    • api/mfa: Add namespace path to the MFA read/list endpoint [GH-16911]
    • api: Add a sentinel error for missing KV secrets [GH-16699]
    • auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. [GH-17251]
    • auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses. πŸ”§ When either the ttl and num_uses fields are not specified, the role's configuration is used. [GH-14474]
    • 0️⃣ auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [GH-16455]
    • auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. [GH-17194]
    • πŸ“‡ auth/cert: Add metadata to identity-alias [GH-14751]
    • auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. [GH-17136]
    • auth/cf: Enables CF roles to be compatible with Vault's role based quotas. [GH-17196]
    • πŸ‘ auth/gcp: Add support for GCE regional instance groups [GH-16435]
    • ⚑️ auth/gcp: Updates dependencies: google.golang.org/[email protected], github.com/hashicorp/[email protected]. [GH-17160]
    • πŸ‘ auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [GH-16525]
    • 🐧 auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [GH-16525]
    • auth/kerberos: add add_group_aliases config to include LDAP groups in Vault group aliases [GH-16890]
    • auth/kerberos: add remove_instance_name parameter to the login CLI and theΒ Kerberos config in Vault. This removes any instance names found in the keytabΒ service principal name. [GH-16594]
    • πŸ”Œ auth/kubernetes: Role resolution for K8S Auth [GH-156] [GH-17161]
    • πŸ‘ auth/oci: Add support for role resolution. [GH-17212]
    • πŸ“œ auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
    • ⚠ cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [GH-16441]
    • πŸ—„ cli: auth and secrets list -detailed commands now show Deprecation Status for builtin plugins. [GH-16849]
    • πŸ”Œ cli: vault plugin list now has a details field in JSON format, and version and type information in table format. [GH-17347]
    • command/audit: Improve missing type error message [GH-16409]
    • command/server: add -dev-tls and -dev-tls-cert-dir subcommands to create a Vault dev server with generated certificates and private key. [GH-16421]
    • command: Fix shell completion for KV v2 mounts [GH-16553]
    • πŸ‘ core (enterprise): Add HTTP PATCH support for namespaces with an associated namespace patch CLI command
    • πŸ”§ core (enterprise): Add check to vault server command to ensure configured storage backend is supported.
    • πŸ“‡ core (enterprise): Add custom metadata support for namespaces
    • πŸ”Š core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
    • πŸ”¨ core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
    • πŸ”Š core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [GH-16184]
    • πŸ›  core/quotas (enterprise): Added ability to add path suffixes for lease-count resource quotas
    • core/quotas (enterprise): Added ability to add role information for lease-count resource quotas, to limit login requests on auth mounts made using that role
    • πŸ›  core/quotas: Added ability to add path suffixes for rate-limit resource quotas [GH-15989]
    • core/quotas: Added ability to add role information for rate-limit resource quotas, to limit login requests on auth mounts made using that role [GH-16115]
    • βœ… core: Activity log goroutine management improvements to allow tests to be more deterministic. [GH-17028]
    • 🌲 core: Add sys/loggers and sys/loggers/:name endpoints to provide ability to modify logging verbosity [GH-16111]
    • πŸ‘ core: Handle and log deprecated builtin mounts. Introduces VAULT_ALLOW_PENDING_REMOVAL_MOUNTS to override shutdown and error when attempting to mount Pending Removal builtin plugins. [GH-17005]
    • 🌲 core: Limit activity log client count usage by namespaces [GH-16000]
    • ⬆️ core: Upgrade github.com/hashicorp/raft [GH-16609]
    • 🚚 core: remove gox [GH-16353]
    • πŸ“„ docs: Clarify the behaviour of local mounts in the context of DR replication [GH-16218]
    • πŸ‘ identity/oidc: Adds support for detailed listing of clients and providers. [GH-16567]
    • identity/oidc: Adds the client_secret_post token endpoint authentication method. [GH-16598]
    • identity/oidc: allows filtering the list providers response by an allowed_client_id [GH-16181]
    • identity: Prevent possibility of data races on entity creation. [GH-16487]
    • physical/postgresql: pass context to queries to propagate timeouts and cancellations on requests. [GH-15866]
    • πŸ”Œ plugins/multiplexing: Added multiplexing support to database plugins if run as external plugins [GH-16995]
    • πŸ”Œ plugins: Add Deprecation Status method to builtinregistry. [GH-16846]
    • πŸ”Œ plugins: Added environment variable flag to opt-out specific plugins from multiplexing [GH-16972]
    • πŸ”Œ plugins: Adding version to plugin GRPC interface [GH-17088]
    • πŸ”Œ plugins: Plugin catalog supports registering and managing plugins with semantic version information. [GH-16688]
    • πŸ”€ replication (enterprise): Fix race in merkle sync that can prevent streaming by returning key value matching provided hash if found in log shipper buffer.
    • secret/nomad: allow reading CA and client auth certificate from /nomad/config/access [GH-15809]
    • πŸ‘ secret/pki: Add RSA PSS signature support for issuing certificates, signing CRLs [GH-16519]
    • secret/pki: Add signature_bits to sign-intermediate, sign-verbatim endpoints [GH-16124]
    • secret/pki: Allow issuing certificates with non-domain, non-email Common Names from roles, sign-verbatim, and as issuers (cn_validations). [GH-15996]
    • secret/pki: Allow specifying SKID for cross-signed issuance from older Vault versions. [GH-16494]
    • secret/transit: Allow importing Ed25519 keys from PKCS#8 with inner RFC 5915 ECPrivateKey blobs (NSS-wrapped keys). [GH-15742]
    • 0️⃣ secrets/ad: set config default length only if password_policy is missing [GH-16140]
    • secrets/azure: Adds option to permanently delete AzureAD objects created by Vault. [GH-17045]
    • secrets/database/hana: Add ability to customize dynamic usernames [GH-16631]
    • πŸ‘ secrets/database/snowflake: Add multiplexing support [GH-17159]
    • ⚑️ secrets/gcp: Updates dependencies: google.golang.org/[email protected], github.com/hashicorp/[email protected]. [GH-17174]
    • ⚑️ secrets/gcpkms: Update dependencies: google.golang.org/[email protected]. [GH-17199]
    • ⬆️ secrets/kubernetes: upgrade to v0.2.0 [GH-17164]
    • secrets/pki/tidy: Add another pair of metrics counting certificates not deleted by the tidy operation. [GH-16702]
    • secrets/pki: Add a new flag to issue/sign APIs which can filter out root CAs from the returned ca_chain field [GH-16935]
    • ⚠ secrets/pki: Add a warning to any successful response when the requested TTL is overwritten by MaxTTL [GH-17073]
    • secrets/pki: Add ability to cancel tidy operations, control tidy resource usage. [GH-16958]
    • secrets/pki: Add ability to periodically rebuild CRL before expiry [GH-16762]
    • 🚚 secrets/pki: Add ability to periodically run tidy operations to remove expired certificates. [GH-16900]
    • πŸ‘ secrets/pki: Add support for per-issuer Authority Information Access (AIA) URLs [GH-16563]
    • πŸ‘ secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
    • secrets/pki: Added gauge metrics "secrets.pki.total_revoked_certificates_stored" and "secrets.pki.total_certificates_stored" to track the number of certificates in storage. [GH-16676]
    • secrets/pki: Allow revocation of certificates with explicitly provided certificate (bring your own certificate / BYOC). [GH-16564]
    • secrets/pki: Allow revocation via proving possession of certificate's private key [GH-16566]
    • 🐎 secrets/pki: Allow tidy to associate revoked certs with their issuers for OCSP performance [GH-16871]
    • secrets/pki: Honor If-Modified-Since header on CA, CRL fetch; requires passthrough_request_headers modification on the mount point. [GH-16249]
    • 0️⃣ secrets/pki: Improve stability of association of revoked cert with its parent issuer; when an issuer loses crl-signing usage, do not place certs on default issuer's CRL. [GH-16874]
    • πŸ— secrets/pki: Support generating delta CRLs for up-to-date CRLs when auto-building is enabled. [GH-16773]
    • secrets/ssh: Add allowed_domains_template to allow templating of allowed_domains. [GH-16056]
    • 0️⃣ secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]
    • 0️⃣ secrets/ssh: Allow the use of Identity templates in the default_user field [GH-16351]
    • secrets/transit: Add a dedicated HMAC key type, which can be used with key import. [GH-16668]
    • secrets/transit: Added a parameter to encrypt/decrypt batch operations to allow the caller to override the HTTP response code in case of partial user-input failures. [GH-17118]
    • πŸ”§ secrets/transit: Allow configuring the possible salt lengths for RSA PSS signatures. [GH-16549]
    • ssh: Addition of an endpoint ssh/issue/:role to allow the creation of signed key pairs [GH-15561]
    • ⏱ storage/cassandra: tuning parameters for clustered environments connection_timeout, initial_connection_timeout, simple_retry_policy_retries. [GH-10467]
    • πŸ“š storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [GH-14455]
    • πŸ’» ui: Changed the tokenBoundCidrs tooltip content to clarify that comma separated values are not accepted in this field. [GH-15852]
    • πŸ’» ui: Prevents requests to /sys/internal/ui/resultant-acl endpoint when unauthenticated [GH-17139]
    • 🚚 ui: Removed deprecated version of core-js 2.6.11 [GH-15898]
    • πŸ’» ui: Renamed labels under Tools for wrap, lookup, rewrap and unwrap with description. [GH-16489]
    • πŸ’» ui: Replaces non-inclusive terms [GH-17116]
    • πŸ’» ui: redirect_to param forwards from auth route when authenticated [GH-16821]
    • πŸ“š website/docs: API generate-recovery-token documentation. [GH-16213]
    • πŸ“š website/docs: Add documentation around the expensiveness of making lots of lease count quotas in a short period [GH-16950]
    • 🚚 website/docs: Removes mentions of unauthenticated from internal ui resultant-acl doc [GH-17139]
    • ⚑️ website/docs: Update replication docs to mention Integrated Storage [GH-16063]
    • πŸ“„ website/docs: changed to echo for all string examples instead of (<<<) here-string. [GH-9081]

    πŸ› BUG FIXES:

    • πŸ“œ agent/template: Fix parsing error for the exec stanza [GH-16231]
    • πŸ”§ agent: Agent will now respect max_retries retry configuration even when caching is set. [GH-16970]
    • ⚑️ agent: Update consul-template for pkiCert bug fixes [GH-16087]
    • πŸ‘ api/sys/internal/specs/openapi: support a new "dynamic" query parameter to generate generic mountpaths [GH-15835]
    • ⚠ api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [GH-16794]
    • πŸ’» api: Fixed issue with internal/ui/mounts and internal/ui/mounts/(?P.+) endpoints where it was not properly handling /auth/ [GH-15552]
    • api: properly handle switching to/from unix domain socket when changing client address [GH-11904]
    • auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
    • auth/kerberos: Maintain headers set by the client [GH-16636]
    • βͺ auth/kubernetes: Restore support for JWT signature algorithm ES384 [GH-160] [GH-17161]
    • ⚠ auth/token: Fix ignored parameter warnings for valid parameters on token create [GH-16938]
    • πŸ”§ command/debug: fix bug where monitor was not honoring configured duration [GH-16834]
    • core (enterprise): Fix bug where wrapping token lookup does not work within namespaces. [GH-15583]
    • πŸ“‡ core (enterprise): Fix creation of duplicate entities via alias metadata changes on local auth mounts.
    • core/auth: Return a 403 instead of a 500 for a malformed SSCT [GH-16112]
    • core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
    • 🚚 core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
    • core/managed-keys (enterprise): fix panic when having cache_disable true
    • πŸ›  core/quotas (enterprise): Fixed issue with improper counting of leases if lease count quota created after leases
    • core/quotas: Added globbing functionality on the end of path suffix quota paths [GH-16386]
    • core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
    • core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
    • core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
    • πŸ”Œ core: Fix panic when the plugin catalog returns neither a plugin nor an error. [GH-17204]
    • πŸ“œ core: Fixes parsing boolean values for ha_storage backends in config [GH-15900]
    • core: Increase the allowed concurrent gRPC streams over the cluster port. [GH-16327]
    • core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
    • database: Invalidate queue should cancel context first to avoid deadlock [GH-15933]
    • 🏁 debug: Fix panic when capturing debug bundle on Windows [GH-14399]
    • 🚚 debug: Remove extra empty lines from vault.log when debug command is run [GH-16714]
    • identity (enterprise): Fix a data race when creating an entity for a local alias.
    • πŸ‘ identity/oidc: Adds claims_supported to discovery document. [GH-16992]
    • identity/oidc: Change the state parameter of the Authorization Endpoint to optional. [GH-16599]
    • identity/oidc: Detect invalid redirect_uri values sooner in validation of theΒ Authorization Endpoint. [GH-16601]
    • πŸ›  identity/oidc: Fixes validation of the request and request_uri parameters. [GH-16600]
    • πŸ›  openapi: Fixed issue where information about /auth/token endpoints was not present with explicit policy permissions [GH-15552]
    • πŸ”Œ plugin/multiplexing: Fix panic when id doesn't exist in connection map [GH-16094]
    • πŸ”Œ plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [GH-16673]
    • πŸ”Œ plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
    • quotas/lease-count: Fix lease-count quotas on mounts not properly being enforced when the lease generating request is a read [GH-15735]
    • replication (enterprise): Fix data race in SaveCheckpoint()
    • replication (enterprise): Fix data race in saveCheckpoint.
    • πŸ”€ replication (enterprise): Fix possible data race during merkle diff/sync
    • 0️⃣ secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [GH-16246]
    • secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [GH-16686]
    • 🐎 secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [GH-16534]
    • secrets/kv: Fix kv get issue preventing the ability to read a secret when providing a leading slash [GH-16443]
    • secrets/pki: Allow import of issuers without CRLSign KeyUsage; prohibit setting crl-signing usage on such issuers [GH-16865]
    • secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
    • secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
    • secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [GH-16813]
    • secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [GH-16721]
    • secrets/pki: LIST issuers endpoint is now unauthenticated. [GH-16830]
    • πŸ”§ secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
    • secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
    • storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
    • storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [GH-16324]
    • storage/raft: Fix retry_join initialization failure [GH-16550]
    • storage/raft: Nodes no longer get demoted to nonvoter if we don't know their version due to missing heartbeats. [GH-17019]
    • 0️⃣ ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
    • πŸ’» ui: Fix OIDC callback to accept namespace flag in different formats [GH-16886]
    • πŸ’» ui: Fix info tooltip submitting form [GH-16659]
    • πŸ’» ui: Fix issue logging in with JWT auth method [GH-16466]
    • πŸ’» ui: Fix lease force revoke action [GH-16930]
    • ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [GH-16739]
    • πŸ’» ui: Fixed bug where red spellcheck underline appears in sensitive/secret kv values when it should not appear [GH-15681]
    • πŸ’» ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]
    • πŸ’» ui: OIDC login type uses localStorage instead of sessionStorage [GH-16170]
    • vault: Fix a bug where duplicate policies could be added to an identity group. [GH-15638]

  • v1.11.5 Changes

    November 2, 2022

    πŸ‘Œ IMPROVEMENTS:

    • database/snowflake: Allow parallel requests to Snowflake [GH-17594]
    • πŸ‘ sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]

    πŸ› BUG FIXES:

    • πŸ‘ core/managed-keys (enterprise): Return better error messages when encountering key creation failures
    • core/managed-keys (enterprise): fix panic when having cache_disable true
    • core: prevent memory leak when using control group factors in a policy [GH-17532]
    • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
    • kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
    • login: Store token in tokenhelper for interactive login MFA [GH-17040]
    • secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
    • secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17384]
    • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
    • 0️⃣ ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
    • πŸ’» ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]

  • v1.11.4 Changes

    September 30, 2022

    πŸ‘Œ IMPROVEMENTS:

    • agent/auto-auth: Add exit_on_err which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091]
    • agent: Send notifications to systemd on start and stop. [GH-9802]

    πŸ› BUG FIXES:

    • auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
    • βͺ auth/kubernetes: Restore support for JWT signature algorithm ES384 [GH-160] [GH-17162]
    • ⚠ auth/token: Fix ignored parameter warnings for valid parameters on token create [GH-16938]
    • core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
    • core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
    • πŸ‘ identity/oidc: Adds claims_supported to discovery document. [GH-16992]
    • replication (enterprise): Fix data race in SaveCheckpoint()
    • πŸ”§ secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
    • secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
    • πŸ’» ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]
    • πŸ’» ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]

  • v1.11.3 Changes

    August 31, 2022

    πŸ”„ CHANGES:

    • core: Bump Go version to 1.17.13.

    πŸ‘Œ IMPROVEMENTS:

    • auth/kerberos: add add_group_aliases config to include LDAP groups in Vault group aliases [GH-16890]
    • auth/kerberos: add remove_instance_name parameter to the login CLI and the 🚚 Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [GH-16594]
    • identity/oidc: Adds the client_secret_post token endpoint authentication method. [GH-16598]
    • πŸ“š storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [GH-14455]

    πŸ› BUG FIXES:

    • ⚠ api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [GH-16794]
    • πŸ”§ auth/gcp: Fixes the ability to reset the configuration's credentials to use application default credentials. [GH-16523]
    • auth/kerberos: Maintain headers set by the client [GH-16636]
    • πŸ”§ command/debug: fix bug where monitor was not honoring configured duration [GH-16834]
    • 🚚 core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
    • πŸ“œ database/elasticsearch: Fixes a bug in boolean parsing for initialize [GH-16526]
    • identity/oidc: Change the state parameter of the Authorization Endpoint to optional. [GH-16599]
    • identity/oidc: Detect invalid redirect_uri values sooner in validation of the Authorization Endpoint. [GH-16601]
    • πŸ›  identity/oidc: Fixes validation of the request and request_uri parameters. [GH-16600]
    • πŸ”Œ plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [GH-16673]
    • secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [GH-16686]
    • 🐎 secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [GH-16534]
    • secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [GH-16813]
    • secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [GH-16721]
    • secrets/pki: LIST issuers endpoint is now unauthenticated. [GH-16830]
    • storage/raft: Fix retry_join initialization failure [GH-16550]
    • πŸ’» ui: Fix OIDC callback to accept namespace flag in different formats [GH-16886]
    • πŸ’» ui: Fix info tooltip submitting form [GH-16659]
    • ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [GH-16739]

    πŸ”’ SECURITY:

    • πŸ“‡ identity/entity: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. [HCSEC-2022-18]

  • v1.11.2 Changes

    August 2, 2022

    πŸ‘Œ IMPROVEMENTS:

    • agent: Added disable_keep_alives configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]

    πŸ› BUG FIXES:

    • core/auth: Return a 403 instead of a 500 for a malformed SSCT [GH-16112]
    • core: Increase the allowed concurrent gRPC streams over the cluster port. [GH-16327]
    • secrets/kv: Fix kv get issue preventing the ability to read a secret when providing a leading slash [GH-16443]
    • πŸ’» ui: Fix issue logging in with JWT auth method [GH-16466]

  • v1.11.1 Changes

    July 21, 2022

    πŸ”„ CHANGES:

    • core: Bump Go version to 1.17.12.

    πŸ‘Œ IMPROVEMENTS:

    • agent: Added disable_idle_connections configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986]
    • 🌲 core: Add sys/loggers and sys/loggers/:name endpoints to provide ability to modify logging verbosity [GH-16111]
    • 0️⃣ secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]

    πŸ› BUG FIXES:

    • πŸ“œ agent/template: Fix parsing error for the exec stanza [GH-16231]
    • ⚑️ agent: Update consul-template for pkiCert bug fixes [GH-16087]
    • core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
    • core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
    • core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
    • πŸ‘ kmip (enterprise): Return SecretData as supported Object Type.
    • πŸ”Œ plugin/multiplexing: Fix panic when id doesn't exist in connection map [GH-16094]
    • 0️⃣ secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [GH-16246]
    • storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [GH-16324]
    • transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
    • πŸ’» ui: OIDC login type uses localStorage instead of sessionStorage [GH-16170]

    πŸ”’ SECURITY:

    • πŸ›  storage/raft (enterprise): Vault Enterprise (β€œVault”) clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129, was fixed in Vault 1.9.8, 1.10.5, and 1.11.1. [HCSEC-2022-15]

  • v1.11.0 Changes

    June 20, 2022

    πŸ”„ CHANGES:

    • auth/aws: Add RoleSession to DisplayName when using assumeRole for authentication [GH-14954]
    • auth/kubernetes: If kubernetes_ca_cert is unset, and there is no pod-local CA available, an error will be surfaced when writing config instead of waiting for login. [GH-15584]
    • 🚚 auth: Remove support for legacy MFA πŸ“„ (https://www.vaultproject.io/docs/v1.10.x/auth/mfa) [GH-14869]
    • core/fips: Disable and warn about entropy augmentation in FIPS 140-2 Inside mode [GH-15858]
    • core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [GH-14328]
    • core: Bump Go version to 1.17.11. [GH-go-ver-1110]
    • database & storage: Change underlying driver library from lib/pq to pgx. This change affects Redshift & Postgres database secrets engines, and CockroachDB & Postgres storage engines [GH-15343]
    • 🚚 licensing (enterprise): Remove support for stored licenses and associated sys/license and sys/license/signed πŸ“„ endpoints in favor of autoloaded licenses.
    • 🐎 replication (enterprise): The /sys/replication/performance/primary/mount-filter endpoint has been removed. Please use Paths Filter instead.
    • 🚚 secret/pki: Remove unused signature_bits parameter from intermediate CSR generation; this parameter doesn't control the final certificate's signature algorithm selection as that is up to the signing CA [GH-15478]
    • πŸ“‡ secrets/kubernetes: Split additional_metadata into extra_annotations and extra_labels parameters [GH-15655]
    • secrets/pki: A new aliased api path (/pki/issuer/:issuer_ref/sign-self-issued) providing the same functionality as the existing API(/pki/root/sign-self-issued) does not require sudo capabilities but the latter still requires it in an effort to maintain backwards compatibility. [GH-15211]
    • secrets/pki: Err on unknown role during sign-verbatim. [GH-15543]
    • secrets/pki: Existing CRL API (/pki/crl) now returns an X.509 v2 CRL instead of a v1 CRL. [GH-15100]
    • secrets/pki: The ca_chain response field within issuing (/pki/issue/:role) and signing APIs will now include the root CA certificate if the mount is aware of it. [GH-15155]
    • secrets/pki: existing Delete Root API (pki/root) will now delete all issuers and keys within the mount path. [GH-15004]
    • secrets/pki: existing Generate Root (pki/root/generate/:type), Set Signed Intermediate (/pki/intermediate/set-signed) APIs will βž• add new issuers/keys to a mount instead of warning that an existing CA exists [GH-14975]
    • secrets/pki: the signed CA certificate from the sign-intermediate api will now appear within the ca_chain response field along with the issuer's ca chain. [GH-15524]
    • ⬆️ ui: Upgrade Ember to version 3.28 [GH-14763]

    πŸ”‹ FEATURES:

    • Autopilot Improvements (Enterprise): Autopilot on Vault Enterprise now supports automated upgrades and redundancy zones when using integrated storage.
    • πŸ’» KeyMgmt UI: Add UI support for managing the Key Management Secrets Engine [GH-15523]
    • Kubernetes Secrets Engine: This new secrets engine generates Kubernetes service account tokens, service accounts, role bindings, and roles dynamically. [GH-15551]
    • Non-Disruptive Intermediate/Root Certificate Rotation: This allows πŸ”§ import, generation and configuration of any number of keys and/or issuers within a PKI mount, providing operators the ability to rotate certificates πŸ”§ in place without affecting existing client configurations. [GH-15277]
    • πŸ–¨ Print minimum required policy for any command: The global CLI flag -output-policy can now be used with any command to print out the minimum required policy HCL for that operation, including whether the given path requires the "sudo" capability. [GH-14899]
    • πŸ”Œ Snowflake Database Plugin: Adds ability to manage RSA key pair credentials for dynamic and static Snowflake users. [GH-15376]
    • Transit BYOK: Allow import of externally-generated keys into the Transit secrets engine. [GH-15414]
    • nomad: Bootstrap Nomad ACL system if no token is provided [GH-12451]
    • storage/dynamodb: Added AWS_DYNAMODB_REGION environment variable. [GH-15054]

    πŸ‘Œ IMPROVEMENTS:

    • 🌲 activity: return nil response months in activity log API when no month data exists [GH-15420]
    • πŸ”§ agent/auto-auth: Add min_backoff to the method stanza for configuring initial backoff duration. [GH-15204]
    • ⚑️ agent: Update consul-template to v0.29.0 [GH-15293]
    • ⬆️ agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [GH-15092]
    • πŸ”Š api/monitor: Add log_format option to allow for logs to be emitted in JSON format [GH-15536]
    • api: Add ability to pass certificate as PEM bytes to api.Client. [GH-14753]
    • api: Add context-aware functions to vault/api for each API wrapper function. [GH-14388]
    • api: Added MFALogin() for handling MFA flow when using login helpers. [GH-14900]
    • πŸ›° api: If the parameters supplied over the API payload are ignored due to not being what the endpoints were expecting, or if the parameters supplied get ⚠ replaced by the values in the endpoint's path itself, warnings will be added to the non-empty responses listing all the ignored and replaced parameters. [GH-14962]
    • api: KV helper methods to simplify the common use case of reading and writing KV secrets [GH-15305]
    • πŸ‘― api: Provide a helper method WithNamespace to create a cloned client with a new NS [GH-14963]
    • api: Support VAULT_PROXY_ADDR environment variable to allow overriding the Vault client's HTTP proxy. [GH-15377]
    • api: Use the context passed to the api/auth Login helpers. [GH-14775]
    • πŸ”Œ api: make ListPlugins parse only known plugin types [GH-15434]
    • 🌲 audit: Add a policy_results block into the audit log that contains the set of policies that granted this request access. [GH-15457]
    • πŸ”Š audit: Include mount_accessor in audit request and response logs [GH-15342]
    • 🌲 audit: added entity_created boolean to audit log, set when login operations create an entity [GH-15487]
    • auth/aws: Add rsa2048 signature type to API [GH-15719]
    • auth/gcp: Enable the Google service endpoints used by the underlying client to be customized [GH-15592]
    • auth/gcp: Vault CLI now infers the service account email when running on Google Cloud [GH-15592]
    • auth/jwt: Adds ability to use JSON pointer syntax for the user_claim value. [GH-15593]
    • πŸ‘ auth/okta: Add support for Google provider TOTP type in the Okta auth method [GH-14985]
    • πŸ‘ auth/okta: Add support for performing the number challenge during an Okta Verify push challenge [GH-15361]
    • auth: Globally scoped Login MFA method Get/List endpoints [GH-15248]
    • auth: enforce a rate limit for TOTP passcode validation attempts [GH-14864]
    • auth: forward cached MFA auth response to the leader using RPC instead of forwarding all login requests [GH-15469]
    • cli/debug: added support for retrieving metrics from DR clusters if unauthenticated_metrics_access is enabled [GH-15316]
    • cli/vault: warn when policy name contains upper-case letter [GH-14670]
    • cli: Alternative flag-based syntax for KV to mitigate confusion from automatically appended /data [GH-14807]
    • πŸ‘ cockroachdb: add high-availability support [GH-12965]
    • πŸ”Š command/debug: Add log_format flag to allow for logs to be emitted in JSON format [GH-15536]
    • 🌲 command: Support optional '-log-level' flag to be passed to 'operator migrate' command (defaults to info). Also support VAULT_LOG_LEVEL env var. [GH-15405]
    • πŸ‘ command: Support the optional '-detailed' flag to be passed to 'vault list' command to show ListResponseWithInfo data. Also supports the VAULT_DETAILED env var. [GH-15417]
    • core (enterprise): Include termination_time in sys/license/status response
    • core (enterprise): Include termination time in license inspect command output
    • core,transit: Allow callers to choose random byte source including entropy augmentation sources for the sys/tools/random and transit/random endpoints. [GH-15213]
    • core/activity: Order month data in ascending order of timestamps [GH-15259]
    • core/activity: allow client counts to be precomputed and queried on non-contiguous chunks of data [GH-15352]
    • πŸ”§ core/managed-keys (enterprise): Allow configuring the number of parallel operations to PKCS#11 managed keys.
    • 🌲 core: Add an export API for historical activity log data [GH-15586]
    • core: Add new DB methods that do not prepare statements. [GH-15166]
    • πŸ”Œ core: check uid and permissions of config dir, config file, plugin dir and plugin binaries [GH-14817]
    • core: Fix some identity data races found by Go race detector (no known impact yet). [GH-15123]
    • πŸ— core: Include build date in sys/seal-status and sys/version-history endpoints. [GH-14957]
    • ⬆️ core: Upgrade github.org/x/crypto/ssh [GH-15125]
    • πŸ‘ kmip (enterprise): Implement operations Query, Import, Encrypt and Decrypt. Improve operations Locate, Add Attribute, Get Attributes and Get Attribute List to handle most supported attributes.
    • mfa/okta: migrate to use official Okta SDK [GH-15355]
    • sdk: Change OpenAPI code generator to extract request objects into /components/schemas and reference them by name. [GH-14217]
    • πŸ‘ secrets/consul: Add support for Consul node-identities and service-identities [GH-15295]
    • secrets/consul: Vault is now able to automatically bootstrap the Consul ACL system. [GH-10751]
    • πŸ”’ secrets/database/elasticsearch: Use the new /_security base API path instead of /_xpack/security when managing elasticsearch. [GH-15614]
    • secrets/pki: Add not_before_duration to root CA generation, intermediate CA signing paths. [GH-14178]
    • πŸ‘ secrets/pki: Add support for CPS URLs and User Notice to Policy Information [GH-15751]
    • secrets/pki: Allow operators to control the issuing certificate behavior when the requested TTL is beyond the NotAfter value of the signing certificate [GH-15152]
    • πŸ”§ secrets/pki: Always return CRLs, URLs configurations, even if using the default value. [GH-15470]
    • secrets/pki: Enable Patch Functionality for Roles and Issuers (API only) [GH-15510]
    • secrets/pki: Have pki/sign-verbatim use the not_before_duration field defined in the role [GH-15429]
    • secrets/pki: Warn on empty Subject field during issuer generation (root/generate and root/sign-intermediate). [GH-15494]
    • secrets/pki: Warn on missing AIA access information when generating issuers (config/urls). [GH-15509]
    • secrets/pki: Warn when generate_lease and no_store are both set to true on requests. [GH-14292]
    • πŸ—„ secrets/ssh: Add connection timeout of 1 minute for outbound SSH connection in deprecated Dynamic SSH Keys mode. [GH-15440]
    • secrets/ssh: Support for add_before_duration in SSH [GH-15250]
    • ⬆️ sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
    • storage/raft: Use larger timeouts at startup to reduce likelihood of inducing elections. [GH-15042]
    • πŸ“œ ui: Allow namespace param to be parsed from state queryParam [GH-15378]
    • 0️⃣ ui: Default auto-rotation period in transit is 30 days [GH-15474]
    • πŸ“œ ui: Parse schema refs from OpenAPI [GH-14508]
    • 🚚 ui: Remove stored license references [GH-15513]
    • 🚚 ui: Remove storybook. [GH-15074]
    • πŸ’» ui: Replaces the IvyCodemirror wrapper with a custom ember modifier. [GH-14659]
    • πŸ“š website/docs: Add usage documentation for Kubernetes Secrets Engine [GH-15527]
    • πŸ”Œ website/docs: added a link to an Enigma secret plugin. [GH-14389]

    πŸ—„ DEPRECATIONS:

    • πŸ“„ docs: Document removal of X.509 certificates with signatures who use SHA-1 in Vault 1.12 [GH-15581]
    • πŸ—„ secrets/consul: Deprecate old parameters "token_type" and "policy" [GH-15550]
    • πŸ—„ secrets/consul: Deprecate parameter "policies" in favor of "consul_policies" for consistency [GH-15400]

    πŸ› BUG FIXES:

    • πŸ›  Fixed panic when adding or modifying a Duo MFA Method in Enterprise
    • 🌲 agent: Fix log level mismatch between ERR and ERROR [GH-14424]
    • agent: Redact auto auth token from renew endpoints [GH-15380]
    • ⚑️ api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [GH-14269]
    • πŸ›  api: Fixes bug where OutputCurlString field was unintentionally being copied over during client cloning [GH-14968]
    • api: Respect increment value in grace period calculations in LifetimeWatcher [GH-14836]
    • auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [GH-14746]
    • auth/kubernetes: Fix error code when using the wrong service account [GH-15584]
    • auth/ldap: The logic for setting the entity alias when username_as_alias is set πŸ›  has been fixed. The previous behavior would make a request to the LDAP server to get user_attr before discarding it and using the username instead. This would πŸ‘‰ make it impossible for a user to connect if this attribute was missing or had πŸ›  multiple values, even though it would not be used anyway. This has been fixed and the username is now used without making superfluous LDAP searches. [GH-15525]
    • πŸ›  auth: Fixed erroneous success message when using vault login in case of two-phase MFA [GH-15428]
    • πŸ›  auth: Fixed erroneous token information being displayed when using vault login in case of two-phase MFA [GH-15428]
    • πŸ›  auth: Fixed two-phase MFA information missing from table format when using vault login [GH-15428]
    • auth: Prevent deleting a valid MFA method ID using the endpoint for a different MFA method type [GH-15482]
    • auth: forward requests subject to login MFA from perfStandby to Active node [GH-15009]
    • πŸ”§ auth: load login MFA configuration upon restart [GH-15261]
    • ⚑️ cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [GH-14973]
    • πŸ“œ cli: Fix panic caused by parsing key=value fields whose value is a single backslash [GH-14523]
    • cli: kv get command now honors trailing spaces to retrieve secrets [GH-15188]
    • ⚠ command: do not report listener and storage types as key not found warnings [GH-15383]
    • πŸ“‡ core (enterprise): Allow local alias create RPCs to persist alias metadata
    • core (enterprise): Fix overcounting of lease count quota usage at startup.
    • βœ… core (enterprise): Fix some races in merkle index flushing code found in testing
    • core (enterprise): Handle additional edge cases reinitializing PKCS#11 libraries after login errors.
    • core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [GH-15224]
    • core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
    • core/metrics: Fix incorrect table size metric for local mounts [GH-14755]
    • core: Fix double counting for "route" metrics [GH-12763]
    • πŸ“œ core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [GH-15072]
    • πŸ“œ core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [GH-14522]
    • πŸ“œ core: Fix panic caused by parsing policies with empty slice values. [GH-14501]
    • core: Fix panic for help request URL paths without /v1/ prefix [GH-14704]
    • core: Limit SSCT WAL checks on perf standbys to raft backends only [GH-15879]
    • πŸ”Š core: Prevent changing file permissions of audit logs when mode 0000 is used. [GH-15759]
    • core: Prevent metrics generation from causing deadlocks. [GH-15693]
    • πŸ›  core: fixed systemd reloading notification [GH-15041]
    • core: fixing excessive unix file permissions [GH-14791]
    • core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [GH-14846]
    • core: pre-calculate namespace specific paths when tainting a route during postUnseal [GH-15067]
    • core: renaming the environment variable VAULT_DISABLE_FILE_PERMISSIONS_CHECK to VAULT_ENABLE_FILE_PERMISSIONS_CHECK and adjusting the logic [GH-15452]
    • πŸ”§ core: report unused or redundant keys in server configuration [GH-14752]
    • core: time.After() used in a select statement can lead to memory leak [GH-14814]
    • ⚑️ identity: deduplicate policies when creating/updating identity groups [GH-15055]
    • mfa/okta: disable client side rate limiting causing delays in push notifications [GH-15369]
    • πŸ”Œ plugin: Fix a bug where plugin reload would falsely report success in certain scenarios. [GH-15579]
    • raft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [GH-15156]
    • 🏁 raft: Ensure initialMmapSize is set to 0 on Windows [GH-14977]
    • replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [GH-14622]
    • sdk/cidrutil: Only check if cidr contains remote address for IP addresses [GH-14487]
    • πŸ‘ sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [GH-15104]
    • 🚚 sdk: Fix OpenApi spec generator to remove duplicate sha_256 parameter [GH-15163]
    • secrets/database: Ensure that a connection_url password is redacted in all cases. [GH-14744]
    • πŸ”– secrets/kv: Fix issue preventing the ability to reset the delete_version_after key metadata field to 0s via HTTP PATCH. [GH-15792]
    • 🐎 secrets/pki: CRLs on performance secondary clusters are now automatically rebuilt upon changes to the list of issuers. [GH-15179]
    • 0️⃣ secrets/pki: Fix handling of "any" key type with default zero signature bits value. [GH-14875]
    • πŸ›  secrets/pki: Fixed bug where larger SHA-2 hashes were truncated with shorter ECDSA CA certificates [GH-14943]
    • secrets/ssh: Convert role field not_before_duration to seconds before returning it [GH-15559]
    • πŸ”§ storage/raft (enterprise): Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type. Strip leading prefix in path prefix for AWS. Improve error handling/reporting.
    • storage/raft: Forward autopilot state requests on perf standbys to active node. [GH-15493]
    • storage/raft: joining a node to a cluster now ignores any VAULT_NAMESPACE environment variable set on the server process [GH-15519]
    • πŸ’» ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not accepted in this field. [GH-15046]
    • πŸ’» ui: Fix KV secret showing in the edit form after a user creates a new version but doesn't have read capabilities [GH-14794]
    • πŸ’» ui: Fix inconsistent behavior in client count calendar widget [GH-15789]
    • πŸ“‡ ui: Fix issue where metadata tab is hidden even though policy grants access [GH-15824]
    • πŸ’» ui: Fix issue with KV not recomputing model when you changed versions. [GH-14941]
    • πŸ’» ui: Fixed client count timezone for start and end months [GH-15167]
    • πŸ’» ui: Fixed unsupported revocation statements field for DB roles [GH-15573]
    • πŸ’» ui: Fixes edit auth method capabilities issue [GH-14966]
    • πŸ’» ui: Fixes issue logging in with OIDC from a listed auth mounts tab [GH-14916]
    • βͺ ui: Revert using localStorage in favor of sessionStorage [GH-15769]
    • ⚑️ ui: Updated leasId to leaseId in the "Copy Credentials" section of "Generate AWS Credentials" [GH-15685]
    • πŸ’» ui: fix firefox inability to recognize file format of client count csv export [GH-15364]
    • 0️⃣ ui: fix form validations ignoring default values and disabling submit button [GH-15560]
    • πŸ’» ui: fix search-select component showing blank selections when editing group member entity [GH-15058]
    • πŸ’» ui: masked values no longer give away length or location of special characters [GH-15025]

  • v1.10.8 Changes

    November 2, 2022

    πŸ› BUG FIXES:

    • πŸ‘ core/managed-keys (enterprise): Return better error messages when encountering key creation failures
    • core/managed-keys (enterprise): fix panic when having cache_disable true
    • core: prevent memory leak when using control group factors in a policy [GH-17532]
    • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
    • login: Store token in tokenhelper for interactive login MFA [GH-17040]
    • secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
    • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
    • πŸ’» ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]