Vault 1.2: Database Credential Rotation and Identity Tokens

Vault 1.2, which was released a few weeks after being previewed at HashiConf EU, introduces several useful new features including:

• The ability to mint OIDC-compliant JWT tokens tied to Vault identities
• An upgrade to the database secrets engine making it easier for applications with static user accounts to use Vault to auto-rotate those secrets with no code changes.
• A tech preview for Vault-native high availability storage (no more requirement for Consul or any backend store)
• A KMIP server secret engine in Vault Enterprise

These features further improve Vault’s ability to automate secrets management, encryption as a service, and privileged access management.

Join Vault technical marketer Justin Weissig as he demos two of Vault 1.2's new features:

• Static credential rotation with the upgraded database secrets engine
• Raft-based, Vault-native high availability storage [tech preview]

» Outline

0:00 — Brief introduction to HashiCorp Vault

4:42 — Demo: Static credential rotation with the upgraded database secrets engine

16:56 — Demo: Raft-based, Vault-native high availability storage

22:18 — Overview of creating OIDC-compliant JWT tokens tied to Vault identities

26:30 — Q&A

» Q&A

• How do you migrate from a Consul backend to this new Vault integrated storage?

• For the Raft integrated storage: Do you have auto-unseal on a node restart or does it need to be done separately?

• With Raft, is there the concept of ACLs like there is in Consul. In production we lock down access to the Vault path using ACL tokens.

• Does Vault offer a snapshot agent similar to Consul for its new integrated storage?

To learn more about these features, visit our HashiCorp Learn tracks on Vault 1.2.