Vault 1.1: Secret Caching with Vault Agent and Other New Features
Watch HashiCorp demo the three major new features of Vault 1.1: Secret caching with Vault Agent, an OIDC authentication workflow, and transit auto-unseal.
Software Developer, Vault Core, HashiCorp
In Vault 1.0, users saw the open source launch of auto-unseal and the introduction of batch tokens, along with improved performance. Being a landmark "1.0" release also meant feature completeness, ecosystem integration, security hardening, and enterprise-readiness.
Vault 1.1 begins a new core mission to build a foundation of new infrastructure for delivering various advanced platform features. In 1.1, advanced features for improved workflows and scaling were introduced. Three of the primary features include:
- Secret Caching with Vault Agent: Securely cache secrets for easy access to applications and edge services.
- OIDC Auth Flow: Enable new authentication methods such as authenticating to Vault via OpenID Connect.
- Transit Auto-Unseal: Auto-Unseal a Vault cluster from a separate Vault cluster via transit encryption.
In this webinar, Vault Core Developer Nick Cabatoff provides introductions to all of these features along with three demos to showcase each one.
0:00 — Overview of Vault 1.1 New Features
3:13 — OIDC-based Authentication
6:08 — Demo: AuthO OIDC
See additional tutorial on HashiCorp Learn: OIDC with Auth0
15:29 — Vault Agent Caching
21:23 — Demo: Agent Cache
See additional tutorial on HashiCorp Learn: Vault agent caching
26:34 — Transit Auto-Unseal Provider
29:47 — Demo: Transit Auto-Unseal
See additional tutorial on HashiCorp Learn: Transit Auto-unseal
32:56 — Q&A
All of the demos for this webinar can be found in this GitHub repo
- Will the OIDC feature support conditional access? e.g. different rights based on how someone/something authenticated?
- Is the id token is signed?
- Why do we need the sink file when we enable Vault Agent cache? Can
vault_tokenbe handled in memory by the Agent instead of the sink file?
- Are there any plans to bring caching to the K/V store?
- Can we enable transit auto-unseal without having to re-issue the current shards?