Vault 1.15.0, 1.14.4, and 1.13.8 released!

Hi folks,

The Vault team is announcing the release of 1.15, as well as Vault 1.14.4 and 1.13.8.

Community Edition binaries can be downloaded at [1, 2, 3]. Enterprise binaries are available to customers as well.

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [4].

The major features and improvements in the 1.15 release are:

  • PKI CIEPS (Enterprise): Certificate Issuance External Policy Service enables customers to configure an external service that Vault PKI will use to validate, augment, and approve certificate requests.
  • Seal HA (Enterprise, Beta): Allows users to configure more than one seal for auto-unseal and seal wrapping high availability. This feature is not yet suitable for production use.
  • Azure Workload Identity Federation: The Azure Auth plugin now supports Azure’s Workload Identity Federation (WIF). The Vault Agent has also added auto-auth support for Azure WIF.
  • SAML Auth Method (Enterprise): Enable users to authenticate with Vault using their identity in a SAML Identity Provider.
  • Secrets Sync (Enterprise, Beta): Introduce the ability for Vault Enterprise to sync KVv2 secrets from Vault to third-party destinations such as AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, GitHub Secrets, and Vercel.
  • Event System (Beta): This update adds support for Vault clustering and replication configurations, subscribing to multiple namespaces, filtering, and policy enforcement. Pre-defined events are currently limited to the KV secrets engine, with extensions to other engines Vault subsystems planned. External plugins are now able to generate events. This feature is not suitable for production use while in beta.
  • Containerized Plugins (Beta): External plugins can now run in their own containers on Linux, allowing increased separation and protection from the Vault processes. This requires Vault to have access to a container runtime. This feature is not suitable for production use while in beta.
  • Advanced TTL Management on Database Engine: The Database Engine now supports rotating static secrets through a schedule-based rotation mechanism. The schedule can be specified as a cron-style parameter, and is mutually exclusive with the existing rotation period mechanism for static roles.
  • Inherited Quotas: Rate limit and lease count quotas set on a namespace can now be configured to apply to that namespace and all of its children namespaces.
  • Reindex Improvements (Enterprise): Reindexing should have reduced downtime.
  • X509 Certificates in Transit: Support signing CSRs and rotating signed certificates matching key material within Transit, allowing, for example, for code signing certificates with the Notary Project to be stored adjacent to their key material. This feature was contributed by the community.
  • Dashboard UI: The new Vault landing page introduces enhanced functionality by enabling users to quickly perform actions, access data and surface basic Client Count and Replication information for enterprise users.
  • LDAP Secrets Engine UI: Within the Vault UI, users can enable the LDAP secrets engine and connect to their existing OpenLDAP, Active Directory (AD), or Resource Access Control Facility (RACF) systems. The UI provides a centralized workflow for efficiently managing LDAP roles, setting shared library accounts/credentials, and automatic password rotations.
  • Copyable KV v2 paths in UI: Provides users with the path of a given secret to copy and use directly in API or CLI commands.
  • Improved KV V2 UI: Refactored the KV v2 secrets engine, fixing known bugs and improving functionality such as version diff and secret deletion.

See the Changelog at [5] for the full list of improvements and bug fixes.

See the Feature Deprecation Notice and Plans page [10] for our upcoming feature deprecation plans.

Community [8] and Enterprise [9] Docker images are also available.


Upgrading

See [6] for general upgrade instructions, and [7] for upgrade instructions and known issues.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [11].

We hope you enjoy Vault 1.15!

Sincerely, The Vault Team

[1] Vault v1.15.0 Binaries | HashiCorp Releases
[2] Vault v1.14.4 Binaries | HashiCorp Releases
[3] Vault v1.13.8 Binaries | HashiCorp Releases
[4] Security at HashiCorp
[5] https://github.com/hashicorp/vault/blob/main/CHANGELOG.md
[6] Upgrading Vault - Guides | Vault | HashiCorp Developer
[7] https://developer.hashicorp.com/vault/docs/release-notes/1.15.0
[8] Docker
[9] Docker
[10] Feature Deprecation Notice | Vault | HashiCorp Developer
[11] Vault - HashiCorp Discuss