Vault 1.15.0 release notes

GA date: 2023-09-27

Release notes provide an at-a-glance summary of key updates to new versions of Vault. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Vault code on GitHub.

We encourage you to upgrade to the latest release of Vault to take advantage of continuing improvements, critical fixes, and new features.

Known issues and breaking changes

Version	Issue
1.15.0+	Vault no longer reports rollback metrics by mountpoint
1.15.0	Panic in AWS auth method during IAM-based login
1.15.0+	UI Collapsed navbar does not allow certain click events
1.15	Vault file audit devices do not honor SIGHUP signal to reload
1.15.0+	Vault storing references to ephemeral sub-loggers causing memory leak
1.15.0+	Internal error when vault policy in namespace does not exist

Vault companion updates

Companion updates are Vault updates that live outside the main Vault binary.

Release	Update	Description
Vault Secrets Operator	GA	Run the Vault Secrets Operator (v0.3.0) on Red Hat OpenShift. Learn more: Vault Secrets Operator

Core updates

Follow the learn more links for more information, or browse the list of Vault tutorials updated to highlight changes for the most recent GA release.

Release	Update	Description
Vault Agent	ENHANCED	Updated to use the latest Azure SDK version and Workload Identity Federation (WIF). Learn more: What is Vault Agent?
Vault Agent	GA	Fetch secrets directly into your application as environment variables. Learn more: Process Supervisor Mode
External plugins	BETA	Run external plugins in their own container with native container platform controls. Learn more: Containerize Vault plugins
Eventing	BETA	Subscribe to notifications for various events in Vault. Includes support for filtering, permissions, and cluster configurations with K-V secrets. Learn more: Events
Vault GUI	GA	New LDAP secrets engine GUI. Learn more: Vault UI guide
Vault GUI	ENHANCED	• New landing page dashboard. • View secrets you have read access to under your directory. • View diffs between previous and new secret versions. • Copy and paste secret paths from the GUI to the Vault CLI or API. Learn more: Vault UI guide
Secrets management	GA	Connect to Google Cloud Platform (GCP) Cloud SQL instances using native IAM credentials. Learn more: Google Cloud Platform Secret Manager
Secrets management	ENHANCED	Improved TTL management for database credentials with configurable credential rotation. Learn more: Secrets engines

Enterprise updates

Release	Update	Description
Secrets syncing	BETA	Sync Key/Value (KV) v2 data between Vault and secrets managers from AWS, Azure, Google Cloud Platform (GCP), GitHub, and Vercel. Learn more: Secrets Sync
Public Key Infrastructure (PKI)	GA	Control Vault PKI issued certificates with the Certificate Issuance External Policy Service (CIEPS) to ensure consistency and compliance to enterprise standards. Learn more: Certificate Issuance External Policy Service (CIEPS)
Replication	ENHANCED	Holistic improvements to cluster replication including problem detection and remediation. Learn more: Vault Enterprise replication
Seal High Availability	BETA	Enables Vault administrators to configure multiple KMS for seal keys to ensure Vault availability in the event a single KMS becomes unavailable. Learn more: Seal wrap
Authentication	GA	Authenticate to Vault with your SAML identity provider. Learn more: SAML auth method

Internal error when vault policy in namespace does not exist

If a user is a member of a group that gets a policy from a namespace other than the one they’re trying to log into, and that policy doesn’t exist, Vault returns an internal error. This impacts all auth methods.

Affected versions

1.13.8 and 1.13.9
1.14.4 and 1.14.5
1.15.0 and 1.15.1

A fix will be released in Vault 1.15.2, 1.14.6, and 1.13.10.

Workaround

During authentication, Vault derives inherited policies based on the groups an entity belongs to. Vault returns an internal error when attaching the derived policy to a token when:

the token belongs to a different namespace than the one handling authentication, and
the derived policy does not exist under the namespace.

You can resolve the error by adding the policy to the relevant namespace or deleting the group policy mapping that uses the derived policy.

As an example, consider the following userpass auth method failure. The error is due to the fact that Vault expects a group policy under the namespace that does not exist.

# Failed login
$ vault login -method=userpass username=user1 password=123
Error authenticating: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/userpass/login/user1
Code: 500. Errors:

* internal error

To confirm the problem is a missing policy, start by identifying the relevant entity and group IDs:

$ vault read -format=json identity/entity/name/user1 | \
  jq '{"entity_id": .data.id, "group_ids": .data.group_ids} '
{
  "entity_id": "420c82de-57c3-df2e-2ef6-0690073b1636",
  "group_ids": [
    "6cb152b7-955d-272b-4dcf-a2ed668ca1ea"
  ]
}

Use the group ID to fetch the relevant policies for the group under the ns1 namespace:

$ vault read -format=json -namespace=ns1 \
  identity/group/id/6cb152b7-955d-272b-4dcf-a2ed668ca1ea | \
  jq '.data.policies'
[
  "group_policy"
]

Now that we know Vault is looking for a policy called group_policy, we can check whether that policy exists under the ns1 namespace:

$ vault policy list -namespace=ns1
default

The only policy in the ns1 namespace is default, which confirms that the missing policy (group_policy) is causing the error.

To fix the problem, we can either remove the missing policy from the 6cb152b7-955d-272b-4dcf-a2ed668ca1ea group or create the missing policy under the ns1 namespace.

To remove group_policy from group ID 6cb152b7-955d-272b-4dcf-a2ed668ca1ea, use the vault write command to set the applicable policies to just include default:

$ vault write                                             \
  -namespace=ns1                                          \
  identity/group/id/6cb152b7-955d-272b-4dcf-a2ed668ca1ea  \
  name="test"                                             \
  policies="default"

To create the missing policy, use vault policy write and define the appropriate capabilities:

$ vault policy write -namespace=ns1 group_policy - << EOF
    path "secret/data/*" {
        capabilities = ["create", "update"]
    }
EOF

Verify the fix by re-running the login command:

$ vault login -method=userpass username=user1 password=123

Vault is storing references to ephemeral sub-loggers leading to a memory leak

Vault is unexpectedly storing references to ephemeral sub-loggers which prevents them from being cleaned up, leading to a memory leak. This impacts many areas of Vault, but primarily logins in Enterprise. There is no workaround.

Affected versions

This issue affects Vault Community and Enterprise versions:

1.13.7+
1.14.3+
1.15.0+

A fix will be issued in the next release

Feature deprecations and EOL

Deprecated in 1.15	Retired in 1.15
None	None

Please refer to the Deprecation Plans and Notice page for up-to-date information on feature deprecations and plans or the Feature Deprecation FAQ for general questions about our deprecation process.