A tool for secrets management, encryption as a service, and privileged access management

Related tags

Security go vault secrets
Overview

Vault CircleCI vault enterprise


Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at [email protected].


Vault Logo

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. This is where Vault steps in.

The key features of Vault are:

  • Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.

  • Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.

  • Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.

  • Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.

  • Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

Documentation, Getting Started, and Certification Exams

Documentation is available on the Vault website.

If you're new to Vault and want to get started with security automation, please check out our Getting Started guides on HashiCorp's learning platform. There are also additional guides to continue your learning.

Show off your Vault knowledge by passing a certification exam. Visit the certification page for information about exams and find study materials on HashiCorp's learning platform.

Developing Vault

If you wish to work on Vault itself or any of its built-in systems, you'll first need Go installed on your machine. Go version 1.15.3+ is required.

For local dev first make sure Go is properly installed, including setting up a GOPATH. Ensure that $GOPATH/bin is in your path as some distributions bundle old version of build tools. Next, clone this repository. Vault uses Go Modules, so it is recommended that you clone the repository outside of the GOPATH. You can then download any required build tools by bootstrapping your environment:

$ make bootstrap
...

To compile a development version of Vault, run make or make dev. This will put the Vault binary in the bin and $GOPATH/bin folders:

$ make dev
...
$ bin/vault
...

To compile a development version of Vault with the UI, run make static-dist dev-ui. This will put the Vault binary in the bin and $GOPATH/bin folders:

$ make static-dist dev-ui
...
$ bin/vault
...

To run tests, type make test. Note: this requires Docker to be installed. If this exits with exit status 0, then everything is working!

$ make test
...

If you're developing a specific package, you can run tests for just that package by specifying the TEST variable. For example below, only vault package tests will be run.

$ make test TEST=./vault
...

Acceptance Tests

Vault has comprehensive acceptance tests covering most of the features of the secret and auth methods.

If you're working on a feature of a secret or auth method and want to verify it is functioning (and also hasn't broken anything else), we recommend running the acceptance tests.

Warning: The acceptance tests create/destroy/modify real resources, which may incur real costs in some cases. In the presence of a bug, it is technically possible that broken backends could leave dangling data behind. Therefore, please run the acceptance tests at your own risk. At the very least, we recommend running them in their own private account for whatever backend you're testing.

To run the acceptance tests, invoke make testacc:

$ make testacc TEST=./builtin/logical/consul
...

The TEST variable is required, and you should specify the folder where the backend is. The TESTARGS variable is recommended to filter down to a specific resource to test, since testing all of them at once can sometimes take a very long time.

Acceptance tests typically require other environment variables to be set for things such as access keys. The test itself should error early and tell you what to set, so it is not documented here.

For more information on Vault Enterprise features, visit the Vault Enterprise site.

Comments
  • Proposal: JWT Claim-based OIDC Auth Backend

    Proposal: JWT Claim-based OIDC Auth Backend

    Kubernetes supports authentication (and group extraction forth authorization) using OICD (OpenID Connect) JWT id_tokens tokens, see here for docs. Basically JWT tokens are crypto-verifiable JSON key-value pairs called "claims".

    For Kubernetes Auth, two such claims are used:

    • username (configurable) - indicating the subject of the token
    • groups (configurable) - indicating the list of groups the user belongs to

    Both KeyCloak and Dex are configurable OpenID Connect servers that can delegate to upstream identity providers (e.g. Azure or Google).

    This proposal is about introducing an Auth Backend that is a configurable, generic OICD backend that uses JWT token validation.

    Contrary to what's been discussed previously in #465, OIDC doesn't require browser flows to be used, and such is not an obstacle for Vault adoption. They can be used in exactly the same fashion as GitHub personal tokens, by copy-pasting.

     vault auth -method=oidc token=<id_token>
    

    In fact this is exactly what K8S's kubectl is expected to be used, with --token flag.

    A couple of other considerations:

    • the TTL of the token is a min(configured_max_ttl, expiraton_of_id_token)
    • the configuration endpoint allows to set the: upstream URL for verification, (optionally) a pinned CA cert for interacting with OICD
    • JWT claims enter the metadata of the token
    • there's a groups/ configuration endpoint that maps onto policies, similarly as with Github

    The K8S oicd plugin seems fairly straightforward and could act as a basis for this work. We'd actually be willing to send in PRs for this if Vault maintainers would accept them :)

    opened by mwitkow 142
  • Provide a way to list secrets

    Provide a way to list secrets

    It would be really great to have some way to list the secrets stored in a Vault. This would make it easier to keep a vault clean, to document what's present, and (potentially) to export secrets to a new vault, if the configuration needs to change or if the unsealing keys need to be changed for some reason.

    opened by emk 79
  • Real world examples for docker

    Real world examples for docker

    Hi. We need some concrete examples how to use vault for distributing secrets into docker containers. I.e. the simplest way possible, whilst also ensuring best security.

    It is also unclear to me whether we can benefit from any docker specific plugins for vault? So that is also an open question also I would be grateful if any 'vault experts' or developers of vault can help answer for us.

    Many thanks for any pointers / tips.

    opened by dreamcat4 77
  • Strange token with negative TTL blocking Vault shutdown

    Strange token with negative TTL blocking Vault shutdown

    • Vault Version: v0.9.5

    • Operating System/Architecture: Ubuntu 16.04.03

    Vault Config File:

    backend "consul" {
      address = "127.0.0.1:8500"
      path = "vault"
      token = ""
    }
    
    listener "tcp" {
      address = "1.1.1.1:8200"
      tls_disable = 0
      tls_cert_file = "/vault/server.crt"
      tls_key_file = "/vault/server.key"
    }
    
    max_lease_ttl = "2880h"
    

    Issue:

    I'm running into an issue where Vault’s shutdown is blocked in such a way that it stops serving secrets, but never gives up the lock (so the secondary node always stays inactive). This problem started after we upgraded to v0.9.5 from v0.7.3. It appears to be stuck in a loop trying to get the following keys from the storage backend:

    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/cc5113c6c15b26c4c359407f35b49b0b33d8d6f7/?keys=&separator=%2F (1.026998ms) from=127.0.0.1:9954
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/840bcfe07c0ce34bae584de5a5de6c1857c6d90a/?keys=&separator=%2F (1.029913ms) from=127.0.0.1:4262
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/d85cf4528416f66409cc3b5d9433d58a39dc9cc4/?keys=&separator=%2F (956.545µs) from=127.0.0.1:9954
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/888b51a27895d526857553f8738162661328d74d/?keys=&separator=%2F (975.086µs) from=127.0.0.1:4262
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/dc067819860c1dd23f458b418fcd7aed0b1a697e/?keys=&separator=%2F (1.015359ms) from=127.0.0.1:9954
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/9544625267777e034883cbd8a576de268d5242b0/?keys=&separator=%2F (962.588µs) from=127.0.0.1:4262
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/61da133ade358ec06ae6e6f0152a57235574877f/?keys=&separator=%2F (1.139707ms) from=127.0.0.1:9954
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/995823d5e90d6893865bcdaba8678b1fb0939b7a/?keys=&separator=%2F (1.003417ms) from=127.0.0.1:4262
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/9dc76f1234d11481dcaf614885293c92c463ffe6/?keys=&separator=%2F (995.442µs) from=127.0.0.1:4262
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/098e2b0af50e1dd46cdb3ed4ba03a0d869c93f7f/?keys=&separator=%2F (1.047521ms) from=127.0.0.1:9954
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/3dd19860320685b7b34e99ac8cf8db8b2c83081c/?keys=&separator=%2F (975.041µs) from=127.0.0.1:4262
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/9f357234883dccdad0caeeb78265589c24d35a12/?keys=&separator=%2F (1.040412ms) from=127.0.0.1:9954
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/421cfdbc380512d04780ff506960cfd1743a3759/?keys=&separator=%2F (974.111µs) from=127.0.0.1:4262
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/be4f6170632f168a81c599276cf93c48abd11beb/?keys=&separator=%2F (974.154µs) from=127.0.0.1:9954
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/4d54cc468ba8b7089c51dee15dc5693209269c51/?keys=&separator=%2F (994.944µs) from=127.0.0.1:4262
    2018/03/16 18:16:16 [DEBUG] http: Request GET /v1/kv/vault/sys/token/parent/be85887a1bc57a393d903cf6cede8bfa8d083ffe/?keys=&separator=%2F (949.421µs) from=127.0.0.1:9954
    

    Additionally, while Vault is active and serving secrets, we constantly see the same calls being made to the storage backend. We’ve traced all these back to a single parent token and the child tokens it has issued.

    ── 8561c9e01661bbcbcc2a038f1e7787246cadf40c
      ├──  61da133ade358ec06ae6e6f0152a57235574877f
            │   ├── 098e2b0af50e1dd46cdb3ed4ba03a0d869c93f7f
            │   ├── 3dd19860320685b7b34e99ac8cf8db8b2c83081c
            │   ├── 421cfdbc380512d04780ff506960cfd1743a3759
            │   ├── 4d54cc468ba8b7089c51dee15dc5693209269c51
            │   ├── 508c12f556d19093e9167d5dcacda376d10cc5d9
            │   ├── 560883d56509e907837d14d9c12f74921c7e6624
            │   ├── 6bacbce05311553b655a29141094fe352afa5427
            │   ├── 6c1ce5eec8d86db284c3aa8cf56c983614638f7c
            │   ├── 6e0249999410712a23d8c737a901624664f2fe94
            │   ├── 7b7b4283827160a365d6d9c8522103a5581b8736
            │   ├── 840bcfe07c0ce34bae584de5a5de6c1857c6d90a
            │   ├── 888b51a27895d526857553f8738162661328d74d
            │   ├── 9544625267777e034883cbd8a576de268d5242b0
            │   ├── 995823d5e90d6893865bcdaba8678b1fb0939b7a
            │   ├── 9dc76f1234d11481dcaf614885293c92c463ffe6
            │   ├── 9f357234883dccdad0caeeb78265589c24d35a12
            │   ├── ba619887b09ba9be87b8ab8d0a04172f6cda41c7
            │   ├── be4f6170632f168a81c599276cf93c48abd11beb
            │   ├── be85887a1bc57a393d903cf6cede8bfa8d083ffe
            │   ├── cc5113c6c15b26c4c359407f35b49b0b33d8d6f7
            │   ├── d85cf4528416f66409cc3b5d9433d58a39dc9cc4
            │   └── dc067819860c1dd23f458b418fcd7aed0b1a697e
    

    The first parent and child have leases, but no lease is found for any of the remaining children. These leases were created on v0.7.3.

    {
      "request_id": "d07e234f-a561-ce71-ff39-e768f20ee921",
      "lease_id": "",
      "renewable": false,
      "lease_duration": 0,
      "data": {
        "expire_time": "2017-10-29T18:29:31.208498887Z",
        "id": "auth/aws-ec2/login/8561c9e01661bbcbcc2a038f1e7787246cadf40c",
        "issue_time": "2017-09-27T18:29:31.208493668Z",
        "last_renewal": "2017-09-27T18:29:31.437838733Z",
        "renewable": false,
        "ttl": -11924360
      },
      "wrap_info": null,
      "warnings": null,
      "auth": null
    }
    
    {
      "request_id": "6346938a-83c4-891f-f264-1f02d2463011",
      "lease_id": "",
      "renewable": false,
      "lease_duration": 0,
      "data": {
        "expire_time": "2017-11-04T15:49:30.21318925Z",
        "id": "auth/token/create/61da133ade358ec06ae6e6f0152a57235574877f",
        "issue_time": "2017-09-27T18:29:31.578314239Z",
        "last_renewal": "2017-10-03T15:49:30.213189473Z",
        "renewable": false,
        "ttl": -11327396
      },
      "wrap_info": null,
      "warnings": null,
      "auth": null
    }
    

    Has anyone seen this before? I’m trying to figure out how it got into the state in the first place. Not sure how to properly clean this up. Have already tried doing a tidy with no luck.

    Thanks in advance for any assistance!

    opened by SoMuchToGrok 66
  • The PKI backend is not well-suited to creating CA certificates

    The PKI backend is not well-suited to creating CA certificates

    The PKI backend has no option for generating certificates with the CA:TRUE extension set. This limits that backend's utility for generating subordinate CA certificates. Is this an intentional omission, or just evidence of very new code?

    opened by hashbrowncipher 65
  • Postgres Revocation Problems

    Postgres Revocation Problems

    If you are granting access to sequences and functions you have to revoke those too.

    https://github.com/hashicorp/vault/issues/699 only fixes schemas.

    It seems to me that allowing for a revocation SQL query might be necessary?

    Thoughts?

    opened by ekristen 60
  • excessive vault/core/leader entries

    excessive vault/core/leader entries

    I reinstalled vault (0.3.1) last night from scratch. Consul (0.5.2) backend.

    I already have 1,730 entries in vault/core/leader in Consul.

    I just reinstalled from scratch because I had 2.8M leases from the 0.2.0 behavior of creating a lease for every read of any generic secret, so I'm a bit wary...

    opened by wwalker 59
  • Create a vault /secret/search endpoint - search the list namespace

    Create a vault /secret/search endpoint - search the list namespace

    This endpoint would accept a GET search string and would return a JSON payload of all paths the user is authorized for where 'search string' in path name. There are 2 ways to search:

    • Search all secret names/paths for the keyword
    • Search the secrets themselves for the keyword For us, we only need the search to really touch the name. There's almost never an instance, for example, where you have a password and you need to search for the secret it belongs to.

    We wrote a client-side application that lists all secret directories and secrets, but the amount of recursive requests that you have to do on that end is the bottleneck for our search. Additionally, this loads all authorized secret paths into local active memory, which is...not necessarily ideal...but OK. Moving the work to the server would seem to be the best optimization.

    The other feature we could settle on would be a "recursive" flag on the /list endpoint, which would return ALL paths that the user is authorized to see. This would still load the paths all into active memory, but then we would only need to do a single call and could search the entire namespace.

    enhancement core community-sentiment 
    opened by TopherGopher 55
  • Can consul-replicate be used with Vault?

    Can consul-replicate be used with Vault?

    Our use case dictates that we need to have Vault and it's secrets available in multiple physical datacenters. However, writes to Vault only need to happen at one location. This makes for a very typical "one master with many slaves" arrangement.

    Since we're using consul for the backend, I figured consul-replicate would be the perfect tool for the job. After setting it all up and running consul-replicate, I was happy to have initial success. However, after using it a bit more, I think I've found a showstopper for this setup.

    It seems that each time consul-replicate copies a key/value from one consul dc to another, I have to restart the vault servers in the second datacenter before they will "see" that data.

    Is this a known issue? Is there any workarounds, or another way to accomplish this kind of setup?

    opened by justintime 55
  • tls_disable not disabling?

    tls_disable not disabling?

    I have a consul server running with consul agent -server -bootstrap-expect 1 -data-dir /tmp/consul.

    backend "consul" {
      address = "127.0.0.1:8500"
      path = "vault"
    }
    
    listener "tcp" {
     address = "127.0.0.1:8200"
     tls_disable = 1
    }
    

    Next I run vault server -config=example.hcl and receive

    Error initializing listener of type tcp: 'tls_cert_file' must be set

    I don't want to use tls. I haven't set any other configurations, simply following the guide. Tried removing tls_disable, setting it to different values "yes", "false", "", 0, true etc.

    opened by SephVelut 51
  • Cors headers

    Cors headers

    This addresses issue #796.

    Adds two new top-level configuration options:

    • enable_cors : A boolean value (not a string, so omit the quotes in the config file). Defaults to false, set to true to enable.
    • allowed_origins : A string value that is a regex for origins that are allowed to make cross-origin requests. This defaults to ".*" which will allow all origins, but only applies if enable_cors is set to true.

    I made the decision to make this a top-level option, because at the end of the day all CORs does is signal to a browser that the server is willing to communicate with it and which HTTP methods it will accept. It will not have an effect on whether or not stored secrets can be accessed.

    opened by naunga 48
  • changelog++

    changelog++

    @sgmiller Does that new feature belong in the updates for 1.10.10, or should it actually be in 1.10.0? I was confused - can you give this a look please?

    pr/no-changelog 
    opened by mladlow 0
  • [QT-309] Ensure creds are available for OCI and S3 (#3385)

    [QT-309] Ensure creds are available for OCI and S3 (#3385)

    • Ensure OCI creds are set for acc test

    • Ensure AWS creds are resolvable before testing

    After fixing the drift script for ENT->OSS, this appeared to only have been applied to the ENT tree. Cherry-pick it to OSS to fix the drift.

    pr/no-changelog 
    opened by mpalmi 0
  • Got an issue about Content Security Policy directive

    Got an issue about Content Security Policy directive "form-action 'none'" after login with root token

    Describe the bug An error occurred in browser console when submitting the login with root token Refused to send form data to '[http://172.18.4.33:8200/ui/vault/auth?token=hvs.yBf3dfgOninntAafjEr9ogR0'](http://172.18.4.33:8200/ui/vault/auth?token=hvs.yBf3dfgOninntAafjEr9ogR0%27) because it violates the following Content Security Policy directive: "form-action 'none'".

    To Reproduce Steps to reproduce the behavior:

    1. Go to Vault UI
    2. Log in with root token
    3. Open console log on development tools

    Expected behavior This error should not be occurred.

    Environment:

    • Microsoft Edge Version 108.0.1462.54 (Official build) (64-bit)
    • Vault status
    / $ vault status
    Key                      Value
    ---                      -----
    Recovery Seal Type       shamir
    Initialized              true
    Sealed                   false
    Total Recovery Shares    3
    Threshold                3
    Version                  1.12.2
    Build Date               2022-11-23T12:53:46Z
    Storage Type             postgresql
    Cluster Name             vault-cluster-3dcdbeff
    Cluster ID               fb0f4069-5104-337f-8792-6bbc9e526272
    HA Enabled               true
    HA Cluster               https://vault-0.vault-internal:8201
    HA Mode                  active
    Active Since             2023-01-05T07:22:06.630424011Z
    
    ui bug 
    opened by namthuoc-LE 0
  • Fix DynamoDB duplicate keys result in folder deletion

    Fix DynamoDB duplicate keys result in folder deletion

    The bug occurs when you use the DynamoDB storage backend and you have both a folder and a key sharing the same name and parent folder. When the folder is deleted the entire parent folder gets deleted.

    For example if you have the secrets (kv1):

    secret/nested1/shared-name/value1
    secret/nested1/shared-name
    

    Then you perform:

    $ vault delete secret/nested1/shared-name/value1
    

    Then you try to list the secrets:

    $ vault list secret/
    Keys                                                                                                     
    ----
    

    This will return an empty list. Your secrets still exist so listing their specific sub-folder shows them:

    $ vault list secret/nested1/
    Keys                                                                                                     
    ----
    shared-name
    

    The change forces the children check to explicitly check for a folder or key in the excluded list, as opposed to generalizing for both cases.

    opened by npurdy-tyro 1
Releases(v1.12.2)
  • v1.12.2(Nov 30, 2022)

    1.12.2

    November 30, 2022

    CHANGES:

    • core: Bump Go version to 1.19.3.
    • plugins: Mounts can no longer be pinned to a specific builtin version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without builtin in their metadata remain unaffected. [GH-18051]

    IMPROVEMENTS:

    • secrets/pki: Allow issuer creation, import to change default issuer via default_follows_latest_issuer. [GH-17824]
    • storage/raft: Add retry_join_as_non_voter config option. [GH-18030]

    BUG FIXES:

    • auth/okta: fix a panic for AuthRenew in Okta [GH-18011]
    • auth: Deduplicate policies prior to ACL generation [GH-17914]
    • cli: Fix issue preventing kv commands from executing properly when the mount path provided by -mount flag and secret key path are the same. [GH-17679]
    • core (enterprise): Supported storage check in vault server command will no longer prevent startup. Instead, a warning will be logged if configured to use storage backend other than raft or consul.
    • core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
    • core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [GH-17944]
    • core: fix a start up race condition where performance standbys could go into a mount loop if default policies are not yet synced from the active node. [GH-17801]
    • plugins: Only report deprecation status for builtin plugins. [GH-17816]
    • plugins: Vault upgrades will no longer fail if a mount has been created using an explicit builtin plugin version. [GH-18051]
    • secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [GH-17772]
    • secrets/azure: add WAL to clean up role assignments if errors occur [GH-18086]
    • secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [GH-18111]
    • secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [GH-17693]
    • ui: Fixes issue with not being able to download raft snapshot via service worker [GH-17769]
    • ui: fix entity policies list link to policy show page [GH-17950]
    Source code(tar.gz)
    Source code(zip)
  • v1.11.6(Nov 30, 2022)

    1.11.6

    November 30, 2022

    IMPROVEMENTS:

    • secrets/pki: Allow issuer creation, import to change default issuer via default_follows_latest_issuer. [GH-17824]

    BUG FIXES:

    • auth/okta: fix a panic for AuthRenew in Okta [GH-18011]
    • auth: Deduplicate policies prior to ACL generation [GH-17914]
    • cli: Fix issue preventing kv commands from executing properly when the mount path provided by -mount flag and secret key path are the same. [GH-17679]
    • core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
    • core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [GH-17944]
    • core: fix a start up race condition where performance standbys could go into a mount loop if default policies are not yet synced from the active node. [GH-17801]
    • secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [GH-17772]
    • secrets/azure: add WAL to clean up role assignments if errors occur [GH-18085]
    • secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [GH-18110]
    • ui: Fixes issue with not being able to download raft snapshot via service worker [GH-17769]
    • ui: fix entity policies list link to policy show page [GH-17950]
    Source code(tar.gz)
    Source code(zip)
  • v1.10.9(Nov 30, 2022)

    1.10.9

    November 30, 2022

    BUG FIXES:

    • auth: Deduplicate policies prior to ACL generation [GH-17914]
    • core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
    • core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [GH-17944]
    • core: fix a start up race condition where performance standbys could go into a mount loop if default policies are not yet synced from the active node. [GH-17801]
    • secrets/azure: add WAL to clean up role assignments if errors occur [GH-18084]
    • secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [GH-18109]
    • ui: fix entity policies list link to policy show page [GH-17950]
    Source code(tar.gz)
    Source code(zip)
  • v1.11.5(Nov 1, 2022)

    1.11.5

    November 2, 2022

    IMPROVEMENTS:

    • database/snowflake: Allow parallel requests to Snowflake [GH-17594]
    • sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]

    BUG FIXES:

    • core/managed-keys (enterprise): Return better error messages when encountering key creation failures
    • core/managed-keys (enterprise): fix panic when having cache_disable true
    • core: prevent memory leak when using control group factors in a policy [GH-17532]
    • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
    • kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
    • login: Store token in tokenhelper for interactive login MFA [GH-17040]
    • secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
    • secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17384]
    • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
    • ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
    • ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
    Source code(tar.gz)
    Source code(zip)
  • v1.12.1(Nov 1, 2022)

    1.12.1

    November 2, 2022

    IMPROVEMENTS:

    • api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
    • database/snowflake: Allow parallel requests to Snowflake [GH-17593]
    • plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
    • sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]

    BUG FIXES:

    • cli: Remove empty table heading for vault secrets list -detailed output. [GH-17577]
    • core/managed-keys (enterprise): Return better error messages when encountering key creation failures
    • core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
    • core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
    • core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
    • core: prevent memory leak when using control group factors in a policy [GH-17532]
    • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
    • kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
    • kmip (enterprise): Fix selection of Cryptographic Parameters for Encrypt/Decrypt operations.
    • login: Store token in tokenhelper for interactive login MFA [GH-17040]
    • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
    • ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
    Source code(tar.gz)
    Source code(zip)
  • v1.10.8(Nov 1, 2022)

    1.10.8

    November 2, 2022

    BUG FIXES:

    • core/managed-keys (enterprise): Return better error messages when encountering key creation failures
    • core/managed-keys (enterprise): fix panic when having cache_disable true
    • core: prevent memory leak when using control group factors in a policy [GH-17532]
    • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
    • login: Store token in tokenhelper for interactive login MFA [GH-17040]
    • secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
    • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
    • ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
    Source code(tar.gz)
    Source code(zip)
  • v1.12.0(Oct 12, 2022)

    1.12.0

    October 13, 2022

    CHANGES:

    • api: Exclusively use GET /sys/plugins/catalog endpoint for listing plugins, and add details field to list responses. [GH-17347]
    • auth: GET /sys/auth/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • auth: GET /sys/auth endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • auth: POST /sys/auth/:type endpoint response contains a warning for Deprecated auth methods. [GH-17058]
    • auth: auth enable returns an error and POST /sys/auth/:type endpoint reports an error for Pending Removal auth methods. [GH-17005]
    • core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
    • core: Bump Go version to 1.19.2.
    • core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
    • identity: a request to /identity/group that includes member_group_ids that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912]
    • licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license termination time is before the build date of the binary.
    • plugins: Add plugin version to auth register, list, and mount table [GH-16856]
    • plugins: GET /sys/plugins/catalog/:type/:name endpoint contains deprecation status for builtin plugins. [GH-17077]
    • plugins: GET /sys/plugins/catalog/:type/:name endpoint now returns an additional version field in the response data. [GH-16688]
    • plugins: GET /sys/plugins/catalog/ endpoint contains deprecation status in detailed list. [GH-17077]
    • plugins: GET /sys/plugins/catalog endpoint now returns an additional detailed field in the response data with a list of additional plugin metadata. [GH-16688]
    • plugins: plugin info displays deprecation status for builtin plugins. [GH-17077]
    • plugins: plugin list now accepts a -detailed flag, which display deprecation status and version info. [GH-17077]
    • secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [GH-17180]
    • secrets: All database-specific (standalone DB) secrets engines are now marked Pending Removal. [GH-17038]
    • secrets: GET /sys/mounts/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • secrets: GET /sys/mounts endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • secrets: POST /sys/mounts/:type endpoint response contains a warning for Deprecated secrets engines. [GH-17058]
    • secrets: secrets enable returns an error and POST /sys/mount/:type endpoint reports an error for Pending Removal secrets engines. [GH-17005]

    FEATURES:

    • GCP Cloud KMS support for managed keys: Managed keys now support using GCP Cloud KMS keys
    • LDAP Secrets Engine: Adds the ldap secrets engine with service account check-out functionality for all supported schemas. [GH-17152]
    • OCSP Responder: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [GH-16723]
    • Redis DB Engine: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [GH-17070]
    • Redis ElastiCache DB Plugin: Added Redis ElastiCache as a built-in plugin. [GH-17075]
    • Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
    • Transform Key Import (BYOK): The transform secrets engine now supports importing keys for tokenization and FPE transformations
    • HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with HashiCorp Cloud Platform as an opt-in feature
    • ui: UI support for Okta Number Challenge. [GH-15998]

    IMPROVEMENTS:

    • :core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
    • activity (enterprise): Added new clients unit tests to test accuracy of estimates
    • agent/auto-auth: Add exit_on_err which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091]
    • agent: Added disable_idle_connections configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986]
    • agent: Added disable_keep_alives configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]
    • agent: JWT auto auth now supports a remove_jwt_after_reading config option which defaults to true. [GH-11969]
    • agent: Send notifications to systemd on start and stop. [GH-9802]
    • api/mfa: Add namespace path to the MFA read/list endpoint [GH-16911]
    • api: Add a sentinel error for missing KV secrets [GH-16699]
    • auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. [GH-17251]
    • auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses. When either the ttl and num_uses fields are not specified, the role's configuration is used. [GH-14474]
    • auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [GH-16455]
    • auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. [GH-17194]
    • auth/cert: Add metadata to identity-alias [GH-14751]
    • auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. [GH-17136]
    • auth/cf: Enables CF roles to be compatible with Vault's role based quotas. [GH-17196]
    • auth/gcp: Add support for GCE regional instance groups [GH-16435]
    • auth/gcp: Updates dependencies: google.golang.org/[email protected], github.com/hashicorp/[email protected]. [GH-17160]
    • auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [GH-16525]
    • auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [GH-16525]
    • auth/kerberos: add add_group_aliases config to include LDAP groups in Vault group aliases [GH-16890]
    • auth/kerberos: add remove_instance_name parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [GH-16594]
    • auth/kubernetes: Role resolution for K8S Auth [GH-156] [GH-17161]
    • auth/oci: Add support for role resolution. [GH-17212]
    • auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
    • cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [GH-16441]
    • cli: auth and secrets list -detailed commands now show Deprecation Status for builtin plugins. [GH-16849]
    • cli: vault plugin list now has a details field in JSON format, and version and type information in table format. [GH-17347]
    • command/audit: Improve missing type error message [GH-16409]
    • command/server: add -dev-tls and -dev-tls-cert-dir subcommands to create a Vault dev server with generated certificates and private key. [GH-16421]
    • command: Fix shell completion for KV v2 mounts [GH-16553]
    • core (enterprise): Add HTTP PATCH support for namespaces with an associated namespace patch CLI command
    • core (enterprise): Add check to vault server command to ensure configured storage backend is supported.
    • core (enterprise): Add custom metadata support for namespaces
    • core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
    • core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
    • core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [GH-16184]
    • core/quotas (enterprise): Added ability to add path suffixes for lease-count resource quotas
    • core/quotas (enterprise): Added ability to add role information for lease-count resource quotas, to limit login requests on auth mounts made using that role
    • core/quotas: Added ability to add path suffixes for rate-limit resource quotas [GH-15989]
    • core/quotas: Added ability to add role information for rate-limit resource quotas, to limit login requests on auth mounts made using that role [GH-16115]
    • core: Activity log goroutine management improvements to allow tests to be more deterministic. [GH-17028]
    • core: Add sys/loggers and sys/loggers/:name endpoints to provide ability to modify logging verbosity [GH-16111]
    • core: Handle and log deprecated builtin mounts. Introduces VAULT_ALLOW_PENDING_REMOVAL_MOUNTS to override shutdown and error when attempting to mount Pending Removal builtin plugins. [GH-17005]
    • core: Limit activity log client count usage by namespaces [GH-16000]
    • core: Upgrade github.com/hashicorp/raft [GH-16609]
    • core: remove gox [GH-16353]
    • docs: Clarify the behaviour of local mounts in the context of DR replication [GH-16218]
    • identity/oidc: Adds support for detailed listing of clients and providers. [GH-16567]
    • identity/oidc: Adds the client_secret_post token endpoint authentication method. [GH-16598]
    • identity/oidc: allows filtering the list providers response by an allowed_client_id [GH-16181]
    • identity: Prevent possibility of data races on entity creation. [GH-16487]
    • physical/postgresql: pass context to queries to propagate timeouts and cancellations on requests. [GH-15866]
    • plugins/multiplexing: Added multiplexing support to database plugins if run as external plugins [GH-16995]
    • plugins: Add Deprecation Status method to builtinregistry. [GH-16846]
    • plugins: Added environment variable flag to opt-out specific plugins from multiplexing [GH-16972]
    • plugins: Adding version to plugin GRPC interface [GH-17088]
    • plugins: Plugin catalog supports registering and managing plugins with semantic version information. [GH-16688]
    • replication (enterprise): Fix race in merkle sync that can prevent streaming by returning key value matching provided hash if found in log shipper buffer.
    • secret/nomad: allow reading CA and client auth certificate from /nomad/config/access [GH-15809]
    • secret/pki: Add RSA PSS signature support for issuing certificates, signing CRLs [GH-16519]
    • secret/pki: Add signature_bits to sign-intermediate, sign-verbatim endpoints [GH-16124]
    • secret/pki: Allow issuing certificates with non-domain, non-email Common Names from roles, sign-verbatim, and as issuers (cn_validations). [GH-15996]
    • secret/pki: Allow specifying SKID for cross-signed issuance from older Vault versions. [GH-16494]
    • secret/transit: Allow importing Ed25519 keys from PKCS#8 with inner RFC 5915 ECPrivateKey blobs (NSS-wrapped keys). [GH-15742]
    • secrets/ad: set config default length only if password_policy is missing [GH-16140]
    • secrets/azure: Adds option to permanently delete AzureAD objects created by Vault. [GH-17045]
    • secrets/database/hana: Add ability to customize dynamic usernames [GH-16631]
    • secrets/database/snowflake: Add multiplexing support [GH-17159]
    • secrets/gcp: Updates dependencies: google.golang.org/[email protected], github.com/hashicorp/[email protected]. [GH-17174]
    • secrets/gcpkms: Update dependencies: google.golang.org/[email protected] [GH-17199]
    • secrets/kubernetes: upgrade to v0.2.0 [GH-17164]
    • secrets/pki/tidy: Add another pair of metrics counting certificates not deleted by the tidy operation. [GH-16702]
    • secrets/pki: Add a new flag to issue/sign APIs which can filter out root CAs from the returned ca_chain field [GH-16935]
    • secrets/pki: Add a warning to any successful response when the requested TTL is overwritten by MaxTTL [GH-17073]
    • secrets/pki: Add ability to cancel tidy operations, control tidy resource usage. [GH-16958]
    • secrets/pki: Add ability to periodically rebuild CRL before expiry [GH-16762]
    • secrets/pki: Add ability to periodically run tidy operations to remove expired certificates. [GH-16900]
    • secrets/pki: Add support for per-issuer Authority Information Access (AIA) URLs [GH-16563]
    • secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
    • secrets/pki: Added gauge metrics "secrets.pki.total_revoked_certificates_stored" and "secrets.pki.total_certificates_stored" to track the number of certificates in storage. [GH-16676]
    • secrets/pki: Allow revocation of certificates with explicitly provided certificate (bring your own certificate / BYOC). [GH-16564]
    • secrets/pki: Allow revocation via proving possession of certificate's private key [GH-16566]
    • secrets/pki: Allow tidy to associate revoked certs with their issuers for OCSP performance [GH-16871]
    • secrets/pki: Honor If-Modified-Since header on CA, CRL fetch; requires passthrough_request_headers modification on the mount point. [GH-16249]
    • secrets/pki: Improve stability of association of revoked cert with its parent issuer; when an issuer loses crl-signing usage, do not place certs on default issuer's CRL. [GH-16874]
    • secrets/pki: Support generating delta CRLs for up-to-date CRLs when auto-building is enabled. [GH-16773]
    • secrets/ssh: Add allowed_domains_template to allow templating of allowed_domains. [GH-16056]
    • secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]
    • secrets/ssh: Allow the use of Identity templates in the default_user field [GH-16351]
    • secrets/transit: Add a dedicated HMAC key type, which can be used with key import. [GH-16668]
    • secrets/transit: Added a parameter to encrypt/decrypt batch operations to allow the caller to override the HTTP response code in case of partial user-input failures. [GH-17118]
    • secrets/transit: Allow configuring the possible salt lengths for RSA PSS signatures. [GH-16549]
    • ssh: Addition of an endpoint ssh/issue/:role to allow the creation of signed key pairs [GH-15561]
    • storage/cassandra: tuning parameters for clustered environments connection_timeout, initial_connection_timeout, simple_retry_policy_retries. [GH-10467]
    • storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [GH-14455]
    • ui: Changed the tokenBoundCidrs tooltip content to clarify that comma separated values are not accepted in this field. [GH-15852]
    • ui: Prevents requests to /sys/internal/ui/resultant-acl endpoint when unauthenticated [GH-17139]
    • ui: Removed deprecated version of core-js 2.6.11 [GH-15898]
    • ui: Renamed labels under Tools for wrap, lookup, rewrap and unwrap with description. [GH-16489]
    • ui: Replaces non-inclusive terms [GH-17116]
    • ui: redirect_to param forwards from auth route when authenticated [GH-16821]
    • website/docs: API generate-recovery-token documentation. [GH-16213]
    • website/docs: Add documentation around the expensiveness of making lots of lease count quotas in a short period [GH-16950]
    • website/docs: Removes mentions of unauthenticated from internal ui resultant-acl doc [GH-17139]
    • website/docs: Update replication docs to mention Integrated Storage [GH-16063]
    • website/docs: changed to echo for all string examples instead of (<<<) here-string. [GH-9081]

    BUG FIXES:

    • agent/template: Fix parsing error for the exec stanza [GH-16231]
    • agent: Agent will now respect max_retries retry configuration even when caching is set. [GH-16970]
    • agent: Update consul-template for pkiCert bug fixes [GH-16087]
    • api/sys/internal/specs/openapi: support a new "dynamic" query parameter to generate generic mountpaths [GH-15835]
    • api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [GH-16794]
    • api: Fixed issue with internal/ui/mounts and internal/ui/mounts/(?P.+) endpoints where it was not properly handling /auth/ [GH-15552]
    • api: properly handle switching to/from unix domain socket when changing client address [GH-11904]
    • auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
    • auth/kerberos: Maintain headers set by the client [GH-16636]
    • auth/kubernetes: Restore support for JWT signature algorithm ES384 [GH-160] [GH-17161]
    • auth/token: Fix ignored parameter warnings for valid parameters on token create [GH-16938]
    • command/debug: fix bug where monitor was not honoring configured duration [GH-16834]
    • core (enterprise): Fix bug where wrapping token lookup does not work within namespaces. [GH-15583]
    • core (enterprise): Fix creation of duplicate entities via alias metadata changes on local auth mounts.
    • core/auth: Return a 403 instead of a 500 for a malformed SSCT [GH-16112]
    • core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
    • core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
    • core/managed-keys (enterprise): fix panic when having cache_disable true
    • core/quotas (enterprise): Fixed issue with improper counting of leases if lease count quota created after leases
    • core/quotas: Added globbing functionality on the end of path suffix quota paths [GH-16386]
    • core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
    • core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
    • core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
    • core: Fix panic when the plugin catalog returns neither a plugin nor an error. [GH-17204]
    • core: Fixes parsing boolean values for ha_storage backends in config [GH-15900]
    • core: Increase the allowed concurrent gRPC streams over the cluster port. [GH-16327]
    • core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
    • database: Invalidate queue should cancel context first to avoid deadlock [GH-15933]
    • debug: Fix panic when capturing debug bundle on Windows [GH-14399]
    • debug: Remove extra empty lines from vault.log when debug command is run [GH-16714]
    • identity (enterprise): Fix a data race when creating an entity for a local alias.
    • identity/oidc: Adds claims_supported to discovery document. [GH-16992]
    • identity/oidc: Change the state parameter of the Authorization Endpoint to optional. [GH-16599]
    • identity/oidc: Detect invalid redirect_uri values sooner in validation of the Authorization Endpoint. [GH-16601]
    • identity/oidc: Fixes validation of the request and request_uri parameters. [GH-16600]
    • openapi: Fixed issue where information about /auth/token endpoints was not present with explicit policy permissions [GH-15552]
    • plugin/multiplexing: Fix panic when id doesn't exist in connection map [GH-16094]
    • plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [GH-16673]
    • plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
    • quotas/lease-count: Fix lease-count quotas on mounts not properly being enforced when the lease generating request is a read [GH-15735]
    • replication (enterprise): Fix data race in SaveCheckpoint()
    • replication (enterprise): Fix data race in saveCheckpoint.
    • replication (enterprise): Fix possible data race during merkle diff/sync
    • secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [GH-16246]
    • secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [GH-16686]
    • secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [GH-16534]
    • secrets/kv: Fix kv get issue preventing the ability to read a secret when providing a leading slash [GH-16443]
    • secrets/pki: Allow import of issuers without CRLSign KeyUsage; prohibit setting crl-signing usage on such issuers [GH-16865]
    • secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
    • secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
    • secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [GH-16813]
    • secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [GH-16721]
    • secrets/pki: LIST issuers endpoint is now unauthenticated. [GH-16830]
    • secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
    • secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
    • storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
    • storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [GH-16324]
    • storage/raft: Fix retry_join initialization failure [GH-16550]
    • storage/raft: Nodes no longer get demoted to nonvoter if we don't know their version due to missing heartbeats. [GH-17019]
    • ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
    • ui: Fix OIDC callback to accept namespace flag in different formats [GH-16886]
    • ui: Fix info tooltip submitting form [GH-16659]
    • ui: Fix issue logging in with JWT auth method [GH-16466]
    • ui: Fix lease force revoke action [GH-16930]
    • ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [GH-16739]
    • ui: Fixed bug where red spellcheck underline appears in sensitive/secret kv values when it should not appear [GH-15681]
    • ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]
    • ui: OIDC login type uses localStorage instead of sessionStorage [GH-16170]
    • vault: Fix a bug where duplicate policies could be added to an identity group. [GH-15638]
    Source code(tar.gz)
    Source code(zip)
  • v1.12.0-rc1(Sep 30, 2022)

  • v1.11.4(Sep 29, 2022)

  • v1.10.7(Sep 29, 2022)

  • v1.9.10(Sep 29, 2022)

  • v1.11.3(Aug 31, 2022)

  • v1.10.6(Aug 31, 2022)

  • v1.11.1(Jul 21, 2022)

  • v1.10.5(Jul 21, 2022)

  • v1.11.0(Jun 20, 2022)

    1.11.0

    Unreleased

    CHANGES:

    • auth/aws: Add RoleSession to DisplayName when using assumeRole for authentication [GH-14954]
    • auth: Remove support for legacy MFA (https://www.vaultproject.io/docs/v1.10.x/auth/mfa) [GH-14869]
    • core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [GH-14328]
    • core: Bump Go version to 1.17.9. [GH-go-ver-1110]
    • licensing (enterprise): Remove support for stored licenses and associated sys/license and sys/license/signed endpoints in favor of autoloaded licenses.
    • replication (enterprise): The /sys/replication/performance/primary/mount-filter endpoint has been removed. Please use Paths Filter instead.
    • ui: Upgrade Ember to version 3.28 [GH-14763]

    FEATURES:

    • Non-Disruptive Intermediate/Root Certificate Rotation: This allows import, generation and configuration of any number of keys and/or issuers within a PKI mount, providing operators the ability to rotate certificates in place without affecting existing client configurations. [GH-15277]
    • api/command: Global -output-policy flag to determine minimum required policy HCL for a given operation [GH-14899]
    • nomad: Bootstrap Nomad ACL system if no token is provided [GH-12451]
    • storage/dynamodb: Added AWS_DYNAMODB_REGION environment variable. [GH-15054]

    IMPROVEMENTS:

    • agent/auto-auth: Add min_backoff to the method stanza for configuring initial backoff duration. [GH-15204]
    • agent: Update consult-template to v0.29.0 [GH-15293]
    • agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [GH-15092]
    • api: Add ability to pass certificate as PEM bytes to api.Client. [GH-14753]
    • api: Add context-aware functions to vault/api for each API wrapper function. [GH-14388]
    • api: Added MFALogin() for handling MFA flow when using login helpers. [GH-14900]
    • api: If the parameters supplied over the API payload are ignored due to not being what the endpoints were expecting, or if the parameters supplied get replaced by the values in the endpoint's path itself, warnings will be added to the non-empty responses listing all the ignored and replaced parameters. [GH-14962]
    • api: Provide a helper method WithNamespace to create a cloned client with a new NS [GH-14963]
    • api: Use the context passed to the api/auth Login helpers. [GH-14775]
    • auth/okta: Add support for Google provider TOTP type in the Okta auth method [GH-14985]
    • auth: enforce a rate limit for TOTP passcode validation attempts [GH-14864]
    • cli/debug: added support for retrieving metrics from DR clusters if unauthenticated_metrics_access is enabled [GH-15316]
    • cli/vault: warn when policy name contains upper-case letter [GH-14670]
    • cli: Alternative flag-based syntax for KV to mitigate confusion from automatically appended /data [GH-14807]
    • cockroachdb: add high-availability support [GH-12965]
    • core (enterprise): Include termination_time in sys/license/status response
    • core (enterprise): Include termination time in license inspect command output
    • core : check uid and permissions of config dir, config file, plugin dir and plugin binaries [GH-14817]
    • core,transit: Allow callers to choose random byte source including entropy augmentation sources for the sys/tools/random and transit/random endpoints. [GH-15213]
    • core/activity: Order month data in ascending order of timestamps [GH-15259]
    • core: Add new DB methods that do not prepare statements. [GH-15166]
    • core: Fix some identity data races found by Go race detector (no known impact yet). [GH-15123]
    • core: Include build date in sys/seal-status and sys/version-history endpoints. [GH-14957]
    • core: Upgrade github.org/x/crypto/ssh [GH-15125]
    • sdk: Change OpenAPI code generator to extract request objects into /components/schemas and reference them by name. [GH-14217]
    • secrets/consul: Add support for Consul node-identities and service-identities [GH-15295]
    • secrets/consul: Vault is now able to automatically bootstrap the Consul ACL system. [GH-10751]
    • secrets/pki: Warn when generate_lease and no_store are both set to true on requests. [GH-14292]
    • sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
    • storage/raft: Use larger timeouts at startup to reduce likelihood of inducing elections. [GH-15042]
    • ui: Parse schema refs from OpenAPI [GH-14508]
    • ui: Remove storybook. [GH-15074]
    • ui: Replaces the IvyCodemirror wrapper with a custom ember modifier. [GH-14659]
    • website/docs: added a link to an Enigma secret plugin. [GH-14389]

    BUG FIXES:

    • Fixed panic when adding or modifying a Duo MFA Method in Enterprise
    • agent: Fix log level mismatch between ERR and ERROR [GH-14424]
    • api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [GH-14269]
    • api: Fixes bug where OutputCurlString field was unintentionally being copied over during client cloning [GH-14968]
    • api: Respect increment value in grace period calculations in LifetimeWatcher [GH-14836]
    • auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [GH-14746]
    • auth: forward requests subject to login MFA from perfStandby to Active node [GH-15009]
    • auth: load login MFA configuration upon restart [GH-15261]
    • cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [GH-14973]
    • cli: Fix panic caused by parsing key=value fields whose value is a single backslash [GH-14523]
    • cli: kv get command now honors trailing spaces to retrieve secrets [GH-15188]
    • core (enterprise): Allow local alias create RPCs to persist alias metadata
    • core (enterprise): Fix some races in merkle index flushing code found in testing
    • core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [GH-15224]
    • core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
    • core/metrics: Fix incorrect table size metric for local mounts [GH-14755]
    • core: Fix double counting for "route" metrics [GH-12763]
    • core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [GH-15072]
    • core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [GH-14522]
    • core: Fix panic caused by parsing policies with empty slice values. [GH-14501]
    • core: Fix panic for help request URL paths without /v1/ prefix [GH-14704]
    • core: fixed systemd reloading notification [GH-15041]
    • core: fixing excessive unix file permissions [GH-14791]
    • core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [GH-14846]
    • core: pre-calculate namespace specific paths when tainting a route during postUnseal [GH-15067]
    • core: report unused or redundant keys in server configuration [GH-14752]
    • core: time.After() used in a select statement can lead to memory leak [GH-14814]
    • rafft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [GH-15156]
    • raft: Ensure initialMmapSize is set to 0 on Windows [GH-14977]
    • replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [GH-14622]
    • sdk/cidrutil: Only check if cidr contains remote address for IP addresses [GH-14487]
    • sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [GH-15104]
    • sdk: Fix OpenApi spec generator to remove duplicate sha_256 parameter [GH-15163]
    • secrets/database: Ensure that a connection_url password is redacted in all cases. [GH-14744]
    • secrets/pki: Fix handling of "any" key type with default zero signature bits value. [GH-14875]
    • secrets/pki: Fixed bug where larger SHA-2 hashes were truncated with shorter ECDSA CA certificates [GH-14943]
    • ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not accepted in this field. [GH-15046]
    • ui: Fix KV secret showing in the edit form after a user creates a new version but doesn't have read capabilities [GH-14794]
    • ui: Fix issue with KV not recomputing model when you changed versions. [GH-14941]
    • ui: Fixes edit auth method capabilities issue [GH-14966]
    • ui: Fixes issue logging in with OIDC from a listed auth mounts tab [GH-14916]
    • ui: fix firefox inability to recognize file format of client count csv export [GH-15364]
    • ui: fix search-select component showing blank selections when editing group member entity [GH-15058]
    • ui: masked values no longer give away length or location of special characters [GH-15025]
    Source code(tar.gz)
    Source code(zip)
  • v1.11.0-rc1(Jun 10, 2022)

  • v1.10.4(Jun 10, 2022)

  • v1.10.3(May 11, 2022)

  • v1.10.2(Apr 29, 2022)

  • v1.8.11(Apr 29, 2022)

  • v1.10.1(Apr 22, 2022)

  • v1.8.10(Apr 22, 2022)

Owner
HashiCorp
Consistent workflows to provision, secure, connect, and run any infrastructure for any application.
HashiCorp
Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com

shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security br

Paul 3.6k Dec 23, 2022
Cossack Labs 1.1k Dec 28, 2022
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Filippo Valsorda 12.4k Dec 28, 2022
Find secrets and passwords in container images and file systems

Find secrets and passwords in container images and file systems

null 1.9k Jan 1, 2023
Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more... Coded with ?? by edoardottt. Share on Twitter! P

gilfoyle97 654 Dec 25, 2022
QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security and store it on physical paper.

QR Secrets QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security. Incorporating; AES256-GCM-HKDF

Go Compile 0 Jan 12, 2022
Telling tales on you for leaking secrets!

Squealer Telling tales on you for leaking secrets! Squealer scans a local git repository for secrets that are being leaked deep within the commit hist

Owen Rumney 125 Nov 8, 2022
Friends don't let friends leak secrets on their terminal window

senv - safer env Friends don't let friends leak secrets in terminal windows. ?? Print your environment to the terminal without worry.

null 104 Oct 26, 2022
A containerd runc shim for replacing environment variables with external secrets

ext-secrets-runc-shim A containerd, runc-based, shim for replacing environment variables with secrets from arbitrary external engines. Quickstart Inst

Pelotech 8 Aug 9, 2022
Allows you to replace a secret in a file using secrets manager

secrets inserter Allows you to replace a secret in a file using secrets manager. ::SECRET:secret-name:SECRET:: will be replaced with your secret-name

null 0 Dec 12, 2021
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer.

Quick start Prepare keys (on both sides): [ -f ~/.ssh/id_ed25519 ] && [ -f ~/.ssh/id_ed25519.pub ] || ssh-keygen -t ed25519 scp ~/.ssh/id_ed25519.pub

null 26 Dec 30, 2022
XXTEA is a fast and secure encryption algorithm.

XXTEA Golang Introduction xxtea is a fast and secure encryption algorithm. This project is the Golang implementation of the xxtea encryption algorithm

yanheng 2 Aug 3, 2022
password manager using age for encryption

page ====== password manager using age (https://age-encryption.org/) for encryption. encrypted secrets are files in the $PAGE_SECRETS/ directory that

null 5 May 30, 2022
A CLI tool that can be used to disrupt wireless connectivity in your area by jamming all the wireless devices connected to multiple access points.

sig-716i A CLI tool written in Go that can be used to disrupt wireless connectivity in the area accessible to your wireless interface. This tool scans

Narasimha Prasanna HN 73 Oct 14, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 13.5k Jan 6, 2023
A port scan and service weakpass brute tool build by golang.

A port scan and service weakpass brute tool build by golang.

M1ku 76 Jan 5, 2023
Optimus is an easy-to-use, reliable, and performant workflow orchestrator for data transformation, data modeling, pipelines, and data quality management.

Optimus Optimus is an easy-to-use, reliable, and performant workflow orchestrator for data transformation, data modeling, pipelines, and data quality

Open Data Platform 680 Jan 6, 2023
Product Analytics, Business Intelligence, and Product Management in a fully self-contained box

Engauge Concept It's not pretty but it's functional. Track user interactions in your apps and products in real-time and see the corresponding stats in

Engauge 93 Nov 17, 2021
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

mesh-kridik Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security scanner that performs various security checks on a

chenk 22 Dec 14, 2022