IMPROVEMENTS:
- Added concurrency for all audit devices, auth methods, secrets engines, and policies
FEATURES:
- Added support for Identity Group Aliases and Identity Group of Groups
- Added support for JWT/OIDC auth backend roles
- Added concurrency. By default,
vault-adminwill use 5 "threads" to process specific config items (currently only Identity secrets engine and JWT/OIDC roles). This count can be configured with the-n/--concurrentcommand line flags.- Note: Concurrency changes the order of operations for some actions. This should not pose any problems but any user prompts will now be held off until the end of the run.
IMPROVEMENTS:
- Added documentation for the Identity secrets backend
BUGFIX:
- Identity secrets backend now cleans up entity aliases correctly
- Fixed bug introduced in v0.3.1 where the Docker container did not run vault-admin when started with no "CMD" parameter.
BUGFIXES:
- Fixed issue where kv backends not at the default
secret/path would prompt to delete. Also fixed potential issue forcubbyholesystemandidentitybackends not at their default paths.
FEATURES:
- Added
--rotate-credsflag for rotating secret engine credentials (currently just AWS supported)
IMPROVEMENTS:
- Added top-level
overwrite_root_configparameter for AWS secret backend configsaws.json. This will force an overwrite of the root config. The default behavior will be to leave the root credentials alone if the mount already exists. This will allow AWS keys to be rotated.
FEATURE:
- Added string substitution for auth methods
BREAKING CHANGES:
- The format of
auth_methodshas changed slightly to allow for a more generic configuration for all auth types. Theauth_optionsandconfigtop-level keys have not changed but all additional config has been brought down a level into theadditional_configsection. See the auth_method examples for details.
{
"auth_options": {
...
},
"config": {
...
},
"additional_config": {
"policy_map": {
...
}
}
}
FEATURES:
- Userpass Auth method now supported. See examples for syntax.
- Identity Entities, EntityAliases and Groups are now supported. See examples for syntax.
- Added more extensive debug logging
FIXED:
- Issue where debug logging would expose the Vault token being used
- Infinite loop when prompting if a non-interactive terminal is being used
FIXED:
- Issue with AWS secret backend when setting a role using
policy_arnswithout araw_policyorpolicy_documentwhere the role would end up in a bad state
OTHER:
- Refactored to use go modules (go 1.12)
BREAKING CHANGES:
- Due to the addition of policy ARNs in AWS secret backend roles, the format of the role configs have changed. Policies using raw definitions must now be specified like so:
{
"credential_type": "iam_user",
"raw_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
IMPROVEMENTS:
- AWS secrets engine roles can now be configured with policy arns as well as raw policy docs
- Fixed fatal errors when certain configs didn't exist (audit_methods, secrets_engines, etc.)
OTHER:
- Added some testing scripts
FEATURES:
- Added ability to update mount description (for Auth and Secrets Engines) [#1]
- Added ability to change
listing_visibilityfor mounts (Auth and Secrets Engines) [#2]
IMPROVEMENTS:
- Added documentation in examples/ for details on setting up the configuration files [#3]
OTHER:
- Bumped API version to Vault 0.11.1
- Using
depfor vendor management
FEATURES:
- Added Audit Devices as a configuration option
IMPROVEMENTS:
- Better log messaging