HSM config parameter requirements: When using Vault with an HSM, a new
parameter is required: hmac_key_label. This performs a similar function to
key_label but for the HMAC key Vault will use. Vault will generate a
suitable key if this value is specified and generate_key is set true.
API HTTP client behavior: When calling NewClient the API no longer
modifies the provided client/transport. In particular this means it will no
longer enable redirection limiting and HTTP/2 support on custom clients. It
is suggested that if you want to make changes to an HTTP client that you use
one created by DefaultConfig as a starting point.
AWS EC2 client nonce behavior: The client nonce generated by the backend
that gets returned along with the authentication response will be audited in
plaintext. If this is undesired, the clients can choose to supply a custom
nonce to the login endpoint. The custom nonce set by the client will from
now on, not be returned back with the authentication response, and hence not
audit logged.
AWS Auth role options: The API will now error when trying to create or
update a role with the mutually-exclusive options
disallow_reauthentication and allow_instance_migration.
SSH CA role read changes: When reading back a role from the ssh backend,
the TTL/max TTL values will now be an integer number of seconds rather than
a string. This better matches the API elsewhere in Vault.
SSH role list changes: When listing roles from the ssh backend via the API,
the response data will additionally return a key_info map that will contain
a map of each key with a corresponding object containing the key_type.
More granularity in audit logs: Audit request and response entries are still
in RFC3339 format but now have a granularity of nanoseconds.
High availability related values have been moved out of the storage and
ha_storage stanzas, and into the top-level configuration. redirect_addr
has been renamed to api_addr. The stanzas still support accepting
HA-related values to maintain backward compatibility, but top-level values
will take precedence.
A new seal stanza has been added to the configuration file, which is
optional and enables configuration of the seal type to use for additional
data protection, such as using HSM or Cloud KMS solutions to encrypt and
decrypt data.
FEATURES:
RSA Support for Transit Backend: Transit backend can now generate RSA
keys which can be used for encryption and signing. [GH-3489]
Identity System: Now in open source and with significant enhancements,
Identity is an integrated system for understanding users across tokens and
enabling easier management of users directly and via groups.
External Groups in Identity: Vault can now automatically assign users
and systems to groups in Identity based on their membership in external
groups.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/hashicorp/vault/sdk from 0.8.1 to 0.9.0.
Changelog
Sourced from github.com/hashicorp/vault/sdk's changelog.
... (truncated)
Commits
bdac185Cut version 0.9.0be83081changelog++f056cf9Sync docs4033471Prep for 0.9.04a60247Fix mount path for credential values in aliases (#3580)c1ed4a0Bump go version in Dockerfile2a7f3e9Acquire state lock at the start of UnsealWithRecoveryKeys (#3579)b659e94API refactoring and doc updates (#3577)58ce26aUpdate the path for generating DR Operation tokens (#3578)81f968fRemove unused recovery field in dynamodb backend (#3569)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)