Vault - 0.11.2


(October 2nd, 2018)


  • sys/seal-status now includes an initialized boolean in the output. If
    Vault is not initialized, it will return a 200 with this value set false
    instead of a 400.
  • passthrough_request_headers will now deny certain headers from being
    provided to backends based on a global denylist.
  • Token Format: Tokens are now represented as a base62 value; tokens in
    namespaces will have the namespace identifier appended. (This appeared in
    Enterprise in 0.11.0, but is only in OSS in 0.11.2.)


  • AWS Secret Engine Root Credential Rotation: The credential used by the AWS
    secret engine can now be rotated, to ensure that only Vault knows the
    credentials it is using [GH-5140]
  • Storage Backend Migrator: A new operator migrate command allows offline
    migration of data between two storage backends
  • AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise): AliCloud KMS can now be used a support seal for
    Auto Unseal and Seal Wrapping


  • auth/okta: Fix reading deprecated token parameter if a token was
    previously set in the configuration [GH-5409]
  • core: Re-add deprecated capabilities information for now [GH-5360]
  • core: Fix handling of cyclic token relationships [GH-4803]
  • storage/mysql: Fix locking on MariaDB [GH-5343]
  • replication: Fix DR API when using a token [GH-5398]
  • identity: Ensure old group alias is removed when a new one is written [GH-5350]
  • storage/alicloud: Don't call uname on package init [GH-5358]
  • secrets/jwt: Fix issue where request context would be canceled too early
  • ui: fix need to have update for aws iam creds generation [GF-5294]
  • ui: fix calculation of token expiry [GH-5435]


  • auth/aws: The identity alias name can now configured to be either IAM unique
    ID of the IAM Principal, or ARN of the caller identity [GH-5247]
  • auth/cert: Add allowed_organizational_units support [GH-5252]
  • cli: Format TTLs for non-secret responses [GH-5367]
  • identity: Support operating on entities and groups by their names [GH-5355]
  • plugins: Add env parameter when registering plugins to the catalog to allow
    operators to include environment variables during plugin execution. [GH-5359]
  • secrets/aws: WAL Rollback improvements [GH-5202]
  • secrets/aws: Allow specifying STS role-default TTLs [GH-5138]
  • secrets/pki: Add configuration support for setting NotBefore [GH-5325]
  • core: Support for passing the Vault token via an Authorization Bearer header [GH-5397]
  • replication: Reindex process now runs in the background and does not block other
    vault operations
  • storage/zookeeper: Enable TLS based communication with Zookeeper [GH-4856]
  • ui: you can now init a cluster with a seal config [GH-5428]
  • ui: added the option to force promote replication clusters [GH-5438]
  • replication: Allow promotion of a secondary when data is syncing with a "force" flag (September 17th, 2018) (Enterprise Only)


  • agent: Fix auth handler-based wrapping of output tokens [GH-5316]
  • core: Properly store the replication checkpoint file if it's larger than the
    storage engine's per-item limit
  • core: Improve WAL deletion rate
  • core: Fix token creation on performance standby nodes
  • core: Fix unwrapping inside a namespace
  • core: Always forward tidy operations from performance standby nodes


  • auth/aws: add support for key/value pairs or JSON values for
    iam_request_headers with IAM auth method [GH-5320]
  • auth/aws, secret/aws: Throttling errors from the AWS API will now be
    reported as 502 errors by Vault, along with the original error [GH-5270]
  • replication: Start fetching during a sync from where it previously errored


Oct. 2, 2018, midnight
Register or login to:
  • 🔍View and search all Vault releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google