This page contains the list of deprecations and important or breaking changes for Vault 1.7.x compared to 1.6. Please read it carefully.
Vault 1.7.8 and higher are built with Go 1.16. Please review the Go Release Notes for full details. Vault 1.7.0-1.7.7 are built with Go 1.15.
If your Vault installation is at least a year old, the barrier key will be
automatically rotated once, and then subsequently will be rotated per the
settings in the new
sys/rotate/config endpoint. This is a precaution to
ensure the number of encryptions performed by the barrier key is fewer than that
NIST SP 800-38D.
AWS Auth concepts and endpoints that use the "whitelist" and "blacklist" terms
have been updated to more inclusive language (e.g.
/auth/aws/identity-whitelist has been
/auth/aws/identity-accesslist). The old and new endpoints are aliases,
sharing the same underlying data. The legacy endpoint names are considered deprecated
and will be removed in a future release (not before Vault 1.9). The complete list of
endpoint changes is available in the AWS Auth API docs.
Docker images for Vault 1.6.6+, 1.7.4+, and 1.8.2+ are built with Alpine 3.14, due to a security issue in Alpine 3.13 (CVE-2021-36159). Some users on older versions of Docker may run into issues with these images. See the following for more details:
Previously, an entity in Vault could be mapped to multiple entity aliases on the same authentication backend. This led to a potential security vulnerability (CVE-2021-43998), as ACL policies templated with alias information would match the first alias created. Thus, tokens created from all aliases of the entity, will have access to the paths containing alias metadata of the first alias due to templated policies being incorrectly applied. As a result, the mapping behavior was updated such that an entity can only have one alias per authentication backend. This change exists in Vault 1.9.0+, 1.8.5+ and 1.7.6+.
Due to the known issue, Transform Secrets Engine users are recommended to upgrade to version 1.7.0. Due to the known issue, Lease Count Quota users with DR Secondaries are recommended to upgrade to version 1.7.4.
- Autopilot is not currently supported on DR Secondary clusters, or in Integrated Storage's HA-only mode.
- If the IP address in the raft peer list is different from the configured
cluster address, autopilot may be unable to determine the leader node. If
affected, you should disabled autopilot by setting the
VAULT_RAFT_AUTOPILOT_DISABLEenvironment variable to 1.
The Transform Secrets Engine storage upgrade introduced in 1.6.0 introduced malformed configuration for transformations configured earlier than 1.6.0, resulting in an error using these transformations if Vault is restarted after the upgrade. This issue exists on Vault 1.6.0 through 1.6.3, and is fixed in Vault 1.6.4 and 1.7.0. Transformations configured on 1.6.0 or higher are unaffected.
Lease count quota invalidation causes DR Secondaries to panic and experience a hard shutdown. This issue exists prior to Vault 1.6.6 and 1.7.4. It is fixed in Vault 1.6.6, 1.7.4, and 1.8.0.