We are proud to announce the release of HashiCorp Vault 0.8.2, which includes a number of new features, improvements, bug fixes, and a security notice.
In prior versions of Vault, if authenticating via the AWS authentication backend using the IAM method and requesting a periodic token, the period was not properly respected upon token renewal. This could lead to tokens expiring unexpectedly, or a token lifetime being longer than expected. Upon token renewal with Vault 0.8.2 the period will be properly enforced.
Lazy Lease Loading
When Vault takes over active duty, it needs to load all outstanding leases on dynamic credentials and Vault tokens in order to properly authenticate requests and to revoke expired credentials as soon as possible.
In previous versions of Vault, this process was synchronous. However, as our customers scaled Vault to handle ever-larger numbers of secrets and users, this could result in a cold-boot or HA-failover transition that stretched into minutes or hours depending on a number of factors, such as the number of outstanding leases and storage/network speed.
In Vault 0.8.2, we’ve made this loading lazy. Loading will happen in the background while Vault continues to service requests. For any synchronous operation affecting leases (including those attached to tokens) -- a lookup, a lease renewal, or a lease revocation -- that lease will be synchronously paged in if it has not yet been loaded by the lazy loading process.
For large installations, this should reduce HA failover time from minutes or hours to seconds, at the expense of some potential higher request latency during loading for leases that need to be looked up but have not yet been loaded by the lazy loading process.
See the Vault 0.8.2 changelog for a full list of changes in addition to the features called out here.
SSH Login with
vault ssh using Certificates
vault ssh now supports authenticating to machines via and remote host key verification through the SSH secret backend (if enabled).
Although issuing certificates was possible in previous releases of Vault, the vault ssh command did not know how to take advantage of this, and was only usable with the older modes of operation of the SSH secrets backend.
Signing of Self-Issued Certs in PKI
The PKI backend can now sign self-issued certificates. These are certificates in which the subject and issuer DNs are the same (and neither is the PKI backend’s CA cert).
This is mostly useful for switching root CAs. The client can verify that the self-issued certificate is signed via an authority key ID that it trusts in order to build a trust relationship with the new CA.
When performing this signing, only basic verification of the given certificate is performed (ensuring it’s a CA and it’s self-issued), so access to this endpoint should be highly restricted.
Vault 0.8.2 introduces architectural changes to the Secure Plugin system introduced in Vault 0.8 to better support certain situations with sealing/unsealing Vault instances. As such, Vault plugins will need to be built with the latest changes in order for them to run properly. See the changelog for more details.
As always, please test in an isolated environment before upgrading and follow Vault's Upgrade Guide.
Thank you again to the Vault community for their ideas, bug reports, and pull requests.