Vault 1.14.0 release notes

GA date: June 21, 2023

Release notes provide an at-a-glance summary of key updates to new versions of Vault. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Vault code on GitHub.

We encourage you to upgrade to the latest release of Vault to take advantage of continuing improvements, critical fixes, and new features.

Known issues and breaking changes

Version	Issue
1.14.0+	Users limited by control groups can only access issuer detail from PKI overview page
All	API calls to update-primary may lead to data loss
1.14.0+	AWS static roles ignore changes to rotation period
1.14.0+	UI Collapsed navbar does not allow certain click events
1.14.3+	Vault storing references to ephemeral sub-loggers causing memory leak
1.14.4+	Internal error when vault policy in namespace does not exist

Vault companion updates

Companion updates are Vault updates that live outside the main Vault binary.

Release	Update	Description
Vault Secrets Operator for Kubernetes	GA	Directly connect Vault secrets into Pods as native Kubernetes Secrets without modifying your application code. Learn more: Vault Secrets Operator
Terraform	GA	Use LDAP authentication from the unified LDAP engine to Terraform Vault Provider. Learn more: LDAP Secrets Engine
Terraform	ENHANCED	Support for additional PKI issuers and keys endpoints. Learn more: PKI Secrets Engine

Core updates

Follow the learn more links for more information, or browse the list of Vault tutorials updated to highlight changes for the most recent GA release.

Release	Update	Description
Public Key Infrastructure (PKI)	GA	Use ACME to automate certificate lifecycle management for private PKI needs with standard ACME clients like Certbot and k8s cert-manager. Request certificates from a Vault server without needing to know Vault APIs or authentication mechanisms. Learn more: PKI Secrets Engine API: ACME
Public Key Infrastructure (PKI)	GA	Use the improved PKI web UI to manage your PKI instance with intuitive configuration and reasonable defaults for workflows, metadata, issuer info, mount and tidy configuration, cross signing, multi-issuers etc.and includes. Learn more: PKI Secrets Engine
Security patches	ENHANCED	Various security improvements to remediate low severity and informational findings from a 3rd party security audit. Learn more: Vault security model
Vault Agent	BETA	Fetch secrets directly into your application as environment variables. Learn more: Process Supervisor Mode
Vault Agent	GA	Use a new subcommand and daemon, Vault Proxy, to access the proxy functionality of Vault Agent. Vault Proxy will handle Vault Agent proxy functionality going forward to simplify use case decisions for users. Learn more: Vault Proxy
Plugin support	GA	Capture plugin metadata in the Vault audit log. Learn more: Syslog audit device
	GA	Use X509 Authentication and Terraform Vault Provider in the MongoDB Atlas Database Secrets Engine. Learn more: MongoDB Atlas Database Secrets Engine
	ENHANCED	Dependency updates and more robust multiplexing for secrets and authentication plugins. Learn more: Serving a plugin with multiplexing (Plugin Development)
AWS support	ENHANCED	Monitoring and performance enhancements for the Vault Lambda extension. Learn more: Vault Lambda Extension guide
AWS support	GA	Use static roles for IAM users in the AWS Secrets Engine. Learn more: AWS Secrets Engine
Vault GUI	ENHANCED	Streamlined and aligned navigation with HCP Vault UI. Learn more: Vault UI
Transit	ENHANCED	Contributed by the Vault community. Support for public-key only Transit keys and BYOK-secured export of key material. Learn more: Transit Secrets Engine

Enterprise updates

Release	Update	Description
Vault replication	ENHANCED	Stability improvements based on customer feedback for Vault 1.13. See theVault changelogfor a full list of bug fixes. Learn more: Replication overview
License utilization reporting	GA	Enables automatic license utilization reporting for you and HashiCorp to ensure transparent, accurate billing. Learn more: Automated License utilization reporting

Internal error when vault policy in namespace does not exist

If a user is a member of a group that gets a policy from a namespace other than the one they’re trying to log into, and that policy doesn’t exist, Vault returns an internal error. This impacts all auth methods.

Affected versions

1.13.8 and 1.13.9
1.14.4 and 1.14.5
1.15.0 and 1.15.1

A fix will be released in Vault 1.15.2, 1.14.6, and 1.13.10.

Workaround

During authentication, Vault derives inherited policies based on the groups an entity belongs to. Vault returns an internal error when attaching the derived policy to a token when:

the token belongs to a different namespace than the one handling authentication, and
the derived policy does not exist under the namespace.

You can resolve the error by adding the policy to the relevant namespace or deleting the group policy mapping that uses the derived policy.

As an example, consider the following userpass auth method failure. The error is due to the fact that Vault expects a group policy under the namespace that does not exist.

# Failed login
$ vault login -method=userpass username=user1 password=123
Error authenticating: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/userpass/login/user1
Code: 500. Errors:

* internal error

To confirm the problem is a missing policy, start by identifying the relevant entity and group IDs:

$ vault read -format=json identity/entity/name/user1 | \
  jq '{"entity_id": .data.id, "group_ids": .data.group_ids} '
{
  "entity_id": "420c82de-57c3-df2e-2ef6-0690073b1636",
  "group_ids": [
    "6cb152b7-955d-272b-4dcf-a2ed668ca1ea"
  ]
}

Use the group ID to fetch the relevant policies for the group under the ns1 namespace:

$ vault read -format=json -namespace=ns1 \
  identity/group/id/6cb152b7-955d-272b-4dcf-a2ed668ca1ea | \
  jq '.data.policies'
[
  "group_policy"
]

Now that we know Vault is looking for a policy called group_policy, we can check whether that policy exists under the ns1 namespace:

$ vault policy list -namespace=ns1
default

The only policy in the ns1 namespace is default, which confirms that the missing policy (group_policy) is causing the error.

To fix the problem, we can either remove the missing policy from the 6cb152b7-955d-272b-4dcf-a2ed668ca1ea group or create the missing policy under the ns1 namespace.

To remove group_policy from group ID 6cb152b7-955d-272b-4dcf-a2ed668ca1ea, use the vault write command to set the applicable policies to just include default:

$ vault write                                             \
  -namespace=ns1                                          \
  identity/group/id/6cb152b7-955d-272b-4dcf-a2ed668ca1ea  \
  name="test"                                             \
  policies="default"

To create the missing policy, use vault policy write and define the appropriate capabilities:

$ vault policy write -namespace=ns1 group_policy - << EOF
    path "secret/data/*" {
        capabilities = ["create", "update"]
    }
EOF

Verify the fix by re-running the login command:

$ vault login -method=userpass username=user1 password=123

Vault is storing references to ephemeral sub-loggers leading to a memory leak

Vault is unexpectedly storing references to ephemeral sub-loggers which prevents them from being cleaned up, leading to a memory leak. This impacts many areas of Vault, but primarily logins in Enterprise. There is no workaround.

Affected versions

This issue affects Vault Community and Enterprise versions:

1.13.7+
1.14.3+
1.15.0+

A fix will be issued in the next release

Feature deprecations and EOL

Deprecated in 1.14	Retired in 1.14
Vault Agent API proxy support	Duplicative Docker Images

Please refer to the Deprecation Plans and Notice page for up-to-date information on feature deprecations and plans or the Feature Deprecation FAQ for general questions about our deprecation process.