hashicorp · kpcraig · Oct 21, 2025 · Oct 8, 2025 · Oct 8, 2025 · Oct 13, 2025
@@ -23,6 +23,7 @@ Introduced | Recommendations | Edition    | Change
 1.19.0     | No              | All        | [Transit support for Ed25519ph and Ed25519ctx signatures](/vault/docs/v1.19.x/updates/important-changes#ed25519)
 1.19.1     | **Yes**         | All        | [Strict validation for Azure auth login requests](/vault/docs/v1.19.x/updates/important-changes#strict-azure)
 1.19.9     | No              | All        | [JSON Payload Limits](/vault/docs/v1.19.x/updates/important-changes#json-limits)
+1.19.11    | **Yes**         | Enterprise | [Rotation manager schedule strings in UTC](/vault/docs/v1.19.x/updates/important-changes#rotation-manager-utc)
 
 
 ### Known issues

@@ -16,7 +16,7 @@ Introduced | Recommendations | Edition    | Change
 1.20.0     | **Yes**         | All        | [Key pair authentication for Snowflake DB secrets engine](/vault/docs/v1.20.x/updates/important-changes#snowflake-keypair-auth)
 1.20.0     | **Yes**         | All        | [Audience warning for Kubernetes authentication roles](#k8-audience-warning)
 1.20.3     | No              | All        | [JSON Payload Limits](/vault/docs/v1.20.x/updates/important-changes#json-limits)
-
+1.20.5     | **Yes**         | All        | [Rotation manager schedule strings in UTC](/vault/docs/v1.20.x/updates/important-changes#rotation-manager-utc)
 
 
 ### Known issues

@@ -7,7 +7,10 @@ Introduced | Recommendations | Edition    | Change
 
 ### New behavior
 
-None.
+Introduced | Recommendations | Edition    | Change
+---------- | --------------- | ---------- | ------
+1.21.0     | **Yes**         | Enterprise | [Rotation manager schedule strings in UTC](/vault/docs/v1.21.x/updates/important-changes#rotation-manager-utc)
+
 
 ### Known issues
 

@@ -160,6 +160,17 @@ If you use `file` audit devices, you need to:
 1. Use non-executable file modes (e.g., 0644, 0666) for log files.
 
 
+### Rotation manager schedule strings in UTC ((#rotation-manager-utc))
+
+| Change       | Affected version | Vault edition
+| ------------ | ---------------- | -------------
+| New behavior | 1.19.11+         | Enterprise
+
+Vault interprets `rotation_schedule` strings relative to UTC to match the
+behavior of static role rotations in the database plugin. Old rotations use
+their existing schedule until you manually update rotation with an API call.
+
+
 ## Breaking changes
 
 @include '../../../global/partials/important-changes/breaking-changes/cve-2025-6000.mdx'

@@ -8,7 +8,8 @@
   defining the schedule on which Vault should rotate the root token. Standard
   cron-style time format uses five fields to define the minute, hour, day of
   month, month, and day of week respectively. For example, `0 0 * * SAT` tells
-  Vault to rotate the root token every Saturday at 00:00. **You must set one of
+  Vault to rotate the root token every Saturday at 00:00. In 1.19.11 or later,
+  Vault interprets the schedule in UTC. **You must set one of
   `rotation_schedule` or `rotation_period`, but cannot set both**.
 - `rotation_window` `(string/integer: 0)` – <EnterpriseAlert product="vault" inline />
   The maximum amount of time, in seconds, allowed to complete

@@ -231,6 +231,17 @@ You would then authenticate with the command below.
 $ vault write auth/kubernetes/login role=demo audience="my_audience" jwt=...
 ```
 
+
+### Rotation manager schedue strings in UTC ((#rotation-manager-utc))
+
+| Change       | Affected version | Vault edition
+| ------------ | ---------------- | -------------
+| New behavior | 1.20.5+          | Enterprise
+
+Vault interprets `rotation_schedule` strings relative to UTC to match the
+behavior of static role rotations in the database plugin. Old rotations use
+their existing schedule until you manually update rotation with an API call.
+
 ---
 
 

@@ -8,8 +8,8 @@
   defining the schedule on which Vault should rotate the root token. Standard
   cron-style time format uses five fields to define the minute, hour, day of
   month, month, and day of week respectively. For example, `0 0 * * SAT` tells
-  Vault to rotate the root token every Saturday at 00:00. **You must set one of
-  `rotation_schedule` or `rotation_period`, but cannot set both**.
+  Vault to rotate the root token every Saturday at 00:00. In 1.20.5 or later, Vault interprets the schedule in UTC.
+  **You must set one of `rotation_schedule` or `rotation_period`, but cannot set both**.
 - `rotation_window` `(string/integer: 0)` – <EnterpriseAlert product="vault" inline />
   The maximum amount of time, in seconds, allowed to complete
   a rotation when a scheduled token rotation occurs. If Vault cannot rotate the

@@ -52,8 +52,15 @@ more information.
 
 ## New behavior
 
-None.
+### Rotation manager schedule strings in UTC ((#rotation-manager-utc))
 
+| Change       | Affected version | Vault edition
+| ------------ | ---------------- | -------------
+| New behavior | 1.21.0+             | Enterprise
+
+Vault interprets `rotation_schedule` strings relative to UTC to match the
+behavior of static role rotations in the database plugin. Old rotations use
+their existing schedule until you manually update rotation with an API call.
 
 ## Known issues
 

@@ -8,8 +8,8 @@
   defining the schedule on which Vault should rotate the root token. Standard
   cron-style time format uses five fields to define the minute, hour, day of
   month, month, and day of week respectively. For example, `0 0 * * SAT` tells
-  Vault to rotate the root token every Saturday at 00:00. **You must set one of
-  `rotation_schedule` or `rotation_period`, but cannot set both**.
+  Vault to rotate the root token every Saturday at 00:00. Vault interprets the schedule in UTC.
+  **You must set one of `rotation_schedule` or `rotation_period`, but cannot set both**.
 - `rotation_window` `(string/integer: 0)` – <EnterpriseAlert product="vault" inline />
   The maximum amount of time, in seconds, allowed to complete
   a rotation when a scheduled token rotation occurs. If Vault cannot rotate the