Vault 1.9.0 Release notes
Software Release Date: November 19, 2021
Summary: This document captures major updates as part of Vault release 1.9.0, including new features, breaking changes, enhancements, deprecation, and EOL plans. Refer to the Changelog for additional changes made within the Vault 1.9 release.
This section describes the new features introduced as part of Vault 1.9.0.
Several improvements to client count were made to help customers better track and identify client attribution and reduce overcomputing.
The improvements made include the following:
- New logic enables de-duplication of non-entity tokens, thereby reducing their contribution towards the client count
- New logic allows entities to be created for local auth mounts, thereby eliminating non-entity-tokens being issued by the local auth mounts and reducing the overall client count
- Eliminates root tokens from the client count aggregate
- Displays client counts per namespace (top ten, descending order by attribution) in the usage metrics UI with the ability to export data for all namespaces
- Displays clients earlier than a month in the usage metrics UI (within ten minutes since initiation of computation)
The following section provides details about the ADP module features added in this release.
Users of the Format Preserving Encryption (FPE) feature of ADP Transform will now benefit from increased flexibility with regards to formatting the input and output of their data. Transformation templates are receiving two new fields- encode_format and decode_formats -that allow users to specify and format individual capturing groups within the regular expressions that define their formats.
We added support to Vault Enterprise for customers who want Vault to manage encryption keys for Transparent Data Encryption on MSSQL servers.
The KMS Engine for GCP provides key management via the Google Cloud KMS to assist with automating many GCP key management functions.
This section describes other features and enhancements introduced as part of the Vault 1.9 release.
Improvements were made to the Vault Agent Cache to ensure that consul-template is always routed through the Vault Agent cache, therefore, eliminating the need for listeners to be defined in the Vault Agent for just templating.
This feature enables customization of username for database dynamic credentials. This feature helps customers better manage and correlate usernames for various actions such as troubleshooting, etc. Vault 1.9 supports Postgres, MSSQL, MySQL, Oracle, MongoDB.
This feature allows security operators to configure custom response headers to HTTP root path (
/) and API endpoints (
/v1/*), in addition to the previously supported UI paths through the server HCL configuration file.
This feature adds support for Vault to run on the IBM s390x architecture via the equivalent binary.
This feature allows namespace administrators to flexibly control operations such as locking APIs from child namespaces to which they have access. This enables them to restrict access to their domain in a multi-tenant environment and perform break-glass procedures in times of emergency to protect a cluster from within their child namespace.
The following enhancement are included:
use_microsoft_graph_apiconfiguration parameter is added to use with Microsoft Graph API. We are targeting to remove Azure Active Directory API by June 30, 2022.
- Rotate root API is now available to rotate client_secret immediately after configuration.
This enhancement provides the ability to set version-agnostic custom key metadata for Vault KVv2 secrets via a metadata endpoint. This custom metadata is also visible in the UI.
We have been adding support for DB secrets engines in the UI over the past few releases. In the Vault 1.9 release, we have added support for Oracle and ElasticSearch and PostgresSQL database secrets engines in the UI.
The PKI Secrets Engine now displays additional PKI certificate metadata in the UI, such as date issued, date of expiry, serial number, and subject/name.
This feature provides a more streamlined method for managing KV v2 secrets, enabling customers to better maintain least privilege security in automated environments. This feature allows performing partial updates to KV v2 secrets without requiring to read the full KV secret's key/value pairs.
Vault can now act as an OIDC Provider so applications can leverage the pre-existing Vault identities to authenticate into applications.
The following section details breaking changes introduced in Vault 1.9.
In Vault 1.9, the internal HTTP Request count API was removed from the product. Calls to the endpoint will result in a 404 error with a message stating that functionality on this path has been removed. Please refer to the upgrade guide for more information.
As called out in the documentation, Vault does not make backwards compatible guarantees on internal APIs (those prefaced with
sys/internal). They are subject to change and may disappear without notice.
Please refer to the Deprecation Plans and Notice page for up-to-date information on feature deprecations and plans. An FAQ page is also available to address questions concerning decisions made about Vault feature deprecations.