🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
Although sys/revoke-prefix was intended to revoke prefixes of secrets (via
lease IDs, which incorporate path information) and
auth/token/revoke-prefix was intended to revoke prefixes of tokens (using
the tokens' paths and, since 0.5.2, role information), in implementation
they both behaved exactly the same way since a single component in Vault is
responsible for managing lifetimes of both, and the type of the tracked
lifetime was not being checked. The end result was that either endpoint
could revoke both secret leases and tokens. We consider this a very minor
security issue as there are a number of mitigating factors: both endpoints
require sudo capability in addition to write capability, preventing
blanket ACL path globs from providing access; both work by using the prefix
to revoke as a part of the endpoint path, allowing them to be properly
ACL'd; and both are intended for emergency scenarios and users should
already not generally have access to either one. In order to prevent
confusion, we have simply removed auth/token/revoke-prefix in 0.6, and
sys/revoke-prefix will be meant for both leases and tokens instead.
DEPRECATIONS/CHANGES:
auth/token/revoke-prefix has been removed. See the security notice for
details. GH-1280
Vault will now automatically register itself as the vault service when
using the consul backend and will perform its own health checks. See
the Consul backend documentation for information on how to disable
auto-registration and service checks.
List operations that do not find any keys now return a 404 status code
rather than an empty response object GH-1365
CA certificates issued from the pki backend no longer have associated
leases, and any CA certs already issued will ignore revocation requests from
the lease manager. This is to prevent CA certificates from being revoked
when the token used to issue the certificate expires; it was not be obvious
to users that they need to ensure that the token lifetime needed to be at
least as long as a potentially very long-lived CA cert.
FEATURES:
AWS EC2 Auth Backend: Provides a secure introduction mechanism for AWS
EC2 instances allowing automated retrieval of Vault tokens. Unlike most
Vault authentication backends, this backend does not require first deploying
or provisioning security-sensitive credentials (tokens, username/password,
client certificates, etc). Instead, it treats AWS as a Trusted Third Party
and uses the cryptographically signed dynamic metadata information that
uniquely represents each EC2 instance. Vault
Enterprise customers have access to a
turnkey client that speaks the backend API and makes access to a Vault token
easy.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/hashicorp/vault/api/auth/approle from 0.5.0 to 0.6.0.
Changelog
Sourced from github.com/hashicorp/vault/api/auth/approle's changelog.
... (truncated)
Commits
f627c01Cut version 0.6.05b7e680Add updated wrapping information926e56eMerge pull request #1520 from hashicorp/wrapinfo-accessor65cdcd6Add some commenting47dc1ccAdd token accessor to wrap information if one exists4f039d0Merge pull request #1518 from hashicorp/fix-bound-ami-ide521894Added bound_ami_id check117200cFix mah broken testsc6ded38cubbyhole-response-wrapping -> response-wrapping1e67cd8Merge pull request #1513 from hashicorp/field-data-get-defaultDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show