From dc305f6b70fb4c95033691ddb1aa587d503dfc5f Mon Sep 17 00:00:00 2001 From: Kay Craig Date: Wed, 8 Oct 2025 13:18:09 -0400 Subject: [PATCH 1/9] add utc callout to rotation fields --- .../vault/v1.21.x (rc)/content/partials/rotationfields.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/vault/v1.21.x (rc)/content/partials/rotationfields.mdx b/content/vault/v1.21.x (rc)/content/partials/rotationfields.mdx index 8c7487b9d4..7c58d1f8ff 100644 --- a/content/vault/v1.21.x (rc)/content/partials/rotationfields.mdx +++ b/content/vault/v1.21.x (rc)/content/partials/rotationfields.mdx @@ -8,8 +8,8 @@ defining the schedule on which Vault should rotate the root token. Standard cron-style time format uses five fields to define the minute, hour, day of month, month, and day of week respectively. For example, `0 0 * * SAT` tells - Vault to rotate the root token every Saturday at 00:00. **You must set one of - `rotation_schedule` or `rotation_period`, but cannot set both**. + Vault to rotate the root token every Saturday at 00:00. Vault interprets the schedule in UTC. + **You must set one of `rotation_schedule` or `rotation_period`, but cannot set both**. - `rotation_window` `(string/integer: 0)` – The maximum amount of time, in seconds, allowed to complete a rotation when a scheduled token rotation occurs. If Vault cannot rotate the From d0bbb7ec644f64b1ee38218a6170744ab58c97a6 Mon Sep 17 00:00:00 2001 From: Kay Craig Date: Wed, 8 Oct 2025 16:30:34 -0400 Subject: [PATCH 2/9] add callout for utc rotation change in important changes --- .../content/docs/updates/important-changes.mdx | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx index 78ef8f3b21..bc4cbc0c78 100644 --- a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx +++ b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx @@ -52,8 +52,15 @@ more information. ## New behavior -None. +### Rotation manager schedule strings are in UTC +| Change | Affected version | Vault edition +| ------------ | ---------------- | ------------- +| New behavior | TKTK | Enterprise + +Vault will interpret `rotation_schedule` strings relative to UTC. This matches the behavior of +static role rotations in the database plugin. Old rotations will continue to use their existing +schedule until manually updated with an API call. ## Known issues From 0c68d02595b4f736053a7b92503490429110ff8f Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 13 Oct 2025 12:22:30 -0400 Subject: [PATCH 3/9] Update content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../v1.21.x (rc)/content/docs/updates/important-changes.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx index bc4cbc0c78..6026c52ce2 100644 --- a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx +++ b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx @@ -56,7 +56,7 @@ more information. | Change | Affected version | Vault edition | ------------ | ---------------- | ------------- -| New behavior | TKTK | Enterprise +| New behavior | 1.21.x | Enterprise Vault will interpret `rotation_schedule` strings relative to UTC. This matches the behavior of static role rotations in the database plugin. Old rotations will continue to use their existing From bc1008b9de2888643cd8f3d9047632a609425ad6 Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 13 Oct 2025 12:23:15 -0400 Subject: [PATCH 4/9] Update content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../v1.21.x (rc)/content/docs/updates/important-changes.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx index 6026c52ce2..4e2f3c3952 100644 --- a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx +++ b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx @@ -52,7 +52,7 @@ more information. ## New behavior -### Rotation manager schedule strings are in UTC +### Rotation manager schedule strings in UTC ((#rotation-manager-utc)) | Change | Affected version | Vault edition | ------------ | ---------------- | ------------- From 291bfc813cab8a5dffc936aff8f95d0ee79b4deb Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 13 Oct 2025 12:31:15 -0400 Subject: [PATCH 5/9] Update content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../v1.21.x (rc)/content/docs/updates/important-changes.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx index 4e2f3c3952..705b5e9d3f 100644 --- a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx +++ b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx @@ -58,9 +58,9 @@ more information. | ------------ | ---------------- | ------------- | New behavior | 1.21.x | Enterprise -Vault will interpret `rotation_schedule` strings relative to UTC. This matches the behavior of -static role rotations in the database plugin. Old rotations will continue to use their existing -schedule until manually updated with an API call. +Vault interprets `rotation_schedule` strings relative to UTC to match the +behavior of static role rotations in the database plugin. Old rotations use +their existing schedule until you manually update rotation with an API call. ## Known issues From 1c6d81eadcf9fb45c78be682c9a8d49cc2983ac5 Mon Sep 17 00:00:00 2001 From: Kay Craig Date: Tue, 14 Oct 2025 13:40:03 -0400 Subject: [PATCH 6/9] add new behavior to global-important-changes --- .../partials/important-changes/summary-tables/1_21.mdx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/content/vault/global/partials/important-changes/summary-tables/1_21.mdx b/content/vault/global/partials/important-changes/summary-tables/1_21.mdx index 5f644e5c43..e0579747dc 100644 --- a/content/vault/global/partials/important-changes/summary-tables/1_21.mdx +++ b/content/vault/global/partials/important-changes/summary-tables/1_21.mdx @@ -7,7 +7,10 @@ Introduced | Recommendations | Edition | Change ### New behavior -None. +Introduced | Recommendations | Edition | Change +---------- | --------------- | ---------- | ------ +1.21.0 | **Yes** | Enterprise | [Rotation manager schedule strings in UTC](/vault/docs/v1.21.x/updates/important-changes#rotation-manager-utc) + ### Known issues From 383c9c505b9f450de321cbfc2531a8f0e9506901 Mon Sep 17 00:00:00 2001 From: Kay Craig Date: Wed, 15 Oct 2025 11:48:42 -0400 Subject: [PATCH 7/9] add 1.20.x updates --- .../important-changes/summary-tables/1_20.mdx | 2 +- .../content/docs/updates/important-changes.mdx | 11 +++++++++++ .../vault/v1.20.x/content/partials/rotationfields.mdx | 4 ++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/content/vault/global/partials/important-changes/summary-tables/1_20.mdx b/content/vault/global/partials/important-changes/summary-tables/1_20.mdx index a83d30a418..9e0513aec5 100644 --- a/content/vault/global/partials/important-changes/summary-tables/1_20.mdx +++ b/content/vault/global/partials/important-changes/summary-tables/1_20.mdx @@ -16,7 +16,7 @@ Introduced | Recommendations | Edition | Change 1.20.0 | **Yes** | All | [Key pair authentication for Snowflake DB secrets engine](/vault/docs/v1.20.x/updates/important-changes#snowflake-keypair-auth) 1.20.0 | **Yes** | All | [Audience warning for Kubernetes authentication roles](#k8-audience-warning) 1.20.3 | No | All | [JSON Payload Limits](/vault/docs/v1.20.x/updates/important-changes#json-limits) - +1.20.5 | **Yes** | All | [Rotation manager schedule strings in UTC](/vault/docs/v1.20.x/updates/important-changes#rotation-manager-utc) ### Known issues diff --git a/content/vault/v1.20.x/content/docs/updates/important-changes.mdx b/content/vault/v1.20.x/content/docs/updates/important-changes.mdx index cfe148953d..97d0ccbdaf 100644 --- a/content/vault/v1.20.x/content/docs/updates/important-changes.mdx +++ b/content/vault/v1.20.x/content/docs/updates/important-changes.mdx @@ -231,6 +231,17 @@ You would then authenticate with the command below. $ vault write auth/kubernetes/login role=demo audience="my_audience" jwt=... ``` + +### Rotation manager schedue strings in UTC ((#rotation-manager-utc)) + +| Change | Affected version | Vault edition +| ------------ | ---------------- | ------------- +| New behavior | 1.20.5+ | Enterprise + +Vault interprets `rotation_schedule` strings relative to UTC to match the +behavior of static role rotations in the database plugin. Old rotations use +their existing schedule until you manually update rotation with an API call. + --- diff --git a/content/vault/v1.20.x/content/partials/rotationfields.mdx b/content/vault/v1.20.x/content/partials/rotationfields.mdx index 8c7487b9d4..7c58d1f8ff 100644 --- a/content/vault/v1.20.x/content/partials/rotationfields.mdx +++ b/content/vault/v1.20.x/content/partials/rotationfields.mdx @@ -8,8 +8,8 @@ defining the schedule on which Vault should rotate the root token. Standard cron-style time format uses five fields to define the minute, hour, day of month, month, and day of week respectively. For example, `0 0 * * SAT` tells - Vault to rotate the root token every Saturday at 00:00. **You must set one of - `rotation_schedule` or `rotation_period`, but cannot set both**. + Vault to rotate the root token every Saturday at 00:00. Vault interprets the schedule in UTC. + **You must set one of `rotation_schedule` or `rotation_period`, but cannot set both**. - `rotation_window` `(string/integer: 0)` – The maximum amount of time, in seconds, allowed to complete a rotation when a scheduled token rotation occurs. If Vault cannot rotate the From 309ac3dc0c9ffa3984cd59d8d7ea8c112fafc3a2 Mon Sep 17 00:00:00 2001 From: Kay Craig Date: Wed, 15 Oct 2025 11:54:10 -0400 Subject: [PATCH 8/9] add 1.19 --- .../important-changes/summary-tables/1_19.mdx | 1 + .../content/docs/updates/important-changes.mdx | 11 +++++++++++ .../vault/v1.19.x/content/partials/rotationfields.mdx | 3 ++- .../vault/v1.20.x/content/partials/rotationfields.mdx | 2 +- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/content/vault/global/partials/important-changes/summary-tables/1_19.mdx b/content/vault/global/partials/important-changes/summary-tables/1_19.mdx index 856c198f9e..8e37b51666 100644 --- a/content/vault/global/partials/important-changes/summary-tables/1_19.mdx +++ b/content/vault/global/partials/important-changes/summary-tables/1_19.mdx @@ -23,6 +23,7 @@ Introduced | Recommendations | Edition | Change 1.19.0 | No | All | [Transit support for Ed25519ph and Ed25519ctx signatures](/vault/docs/v1.19.x/updates/important-changes#ed25519) 1.19.1 | **Yes** | All | [Strict validation for Azure auth login requests](/vault/docs/v1.19.x/updates/important-changes#strict-azure) 1.19.9 | No | All | [JSON Payload Limits](/vault/docs/v1.19.x/updates/important-changes#json-limits) +1.19.11 | **Yes** | Enterprise | [Rotation manager schedule strings in UTC](/vault/docs/v1.19.x/updates/important-changes#rotation-manager-utc) ### Known issues diff --git a/content/vault/v1.19.x/content/docs/updates/important-changes.mdx b/content/vault/v1.19.x/content/docs/updates/important-changes.mdx index 7302051834..a337a078c5 100644 --- a/content/vault/v1.19.x/content/docs/updates/important-changes.mdx +++ b/content/vault/v1.19.x/content/docs/updates/important-changes.mdx @@ -160,6 +160,17 @@ If you use `file` audit devices, you need to: 1. Use non-executable file modes (e.g., 0644, 0666) for log files. +### Rotation manager schedule strings in UTC ((#rotation-manager-utc)) + +| Change | Affected version | Vault edition +| ------------ | ---------------- | ------------- +| New behavior | 1.19.11+ | Enterprise + +Vault interprets `rotation_schedule` strings relative to UTC to match the +behavior of static role rotations in the database plugin. Old rotations use +their existing schedule until you manually update rotation with an API call. + + ## Breaking changes @include '../../../global/partials/important-changes/breaking-changes/cve-2025-6000.mdx' diff --git a/content/vault/v1.19.x/content/partials/rotationfields.mdx b/content/vault/v1.19.x/content/partials/rotationfields.mdx index 8c7487b9d4..47e6f8e64e 100644 --- a/content/vault/v1.19.x/content/partials/rotationfields.mdx +++ b/content/vault/v1.19.x/content/partials/rotationfields.mdx @@ -8,7 +8,8 @@ defining the schedule on which Vault should rotate the root token. Standard cron-style time format uses five fields to define the minute, hour, day of month, month, and day of week respectively. For example, `0 0 * * SAT` tells - Vault to rotate the root token every Saturday at 00:00. **You must set one of + Vault to rotate the root token every Saturday at 00:00. In 1.19.11 or later, + Vault interprets the schedule in UTC. **You must set one of `rotation_schedule` or `rotation_period`, but cannot set both**. - `rotation_window` `(string/integer: 0)` – The maximum amount of time, in seconds, allowed to complete diff --git a/content/vault/v1.20.x/content/partials/rotationfields.mdx b/content/vault/v1.20.x/content/partials/rotationfields.mdx index 7c58d1f8ff..2e1659951d 100644 --- a/content/vault/v1.20.x/content/partials/rotationfields.mdx +++ b/content/vault/v1.20.x/content/partials/rotationfields.mdx @@ -8,7 +8,7 @@ defining the schedule on which Vault should rotate the root token. Standard cron-style time format uses five fields to define the minute, hour, day of month, month, and day of week respectively. For example, `0 0 * * SAT` tells - Vault to rotate the root token every Saturday at 00:00. Vault interprets the schedule in UTC. + Vault to rotate the root token every Saturday at 00:00. In 1.20.5 or later, Vault interprets the schedule in UTC. **You must set one of `rotation_schedule` or `rotation_period`, but cannot set both**. - `rotation_window` `(string/integer: 0)` – The maximum amount of time, in seconds, allowed to complete From a9cb7a6bf852ec68f8d0180b8b58c638c1d1f471 Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Tue, 21 Oct 2025 14:49:51 -0400 Subject: [PATCH 9/9] Update content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../v1.21.x (rc)/content/docs/updates/important-changes.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx index 705b5e9d3f..39df6a8dcd 100644 --- a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx +++ b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx @@ -56,7 +56,7 @@ more information. | Change | Affected version | Vault edition | ------------ | ---------------- | ------------- -| New behavior | 1.21.x | Enterprise +| New behavior | 1.21.0+ | Enterprise Vault interprets `rotation_schedule` strings relative to UTC to match the behavior of static role rotations in the database plugin. Old rotations use