From 5386afd19a1c8347cb42d07720aa0abcfe5913ec Mon Sep 17 00:00:00 2001 From: Sarah Chavis <62406755+schavis@users.noreply.github.com> Date: Thu, 30 Oct 2025 15:35:18 -0700 Subject: [PATCH 1/2] Calrify that 1.21 did not make audience required --- content/vault/v1.20.x/content/api-docs/auth/kubernetes.mdx | 6 +++++- .../v1.20.x/content/docs/updates/important-changes.mdx | 7 +++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/content/vault/v1.20.x/content/api-docs/auth/kubernetes.mdx b/content/vault/v1.20.x/content/api-docs/auth/kubernetes.mdx index 4337123e69..4ac5c7e7d5 100644 --- a/content/vault/v1.20.x/content/api-docs/auth/kubernetes.mdx +++ b/content/vault/v1.20.x/content/api-docs/auth/kubernetes.mdx @@ -146,7 +146,11 @@ entities attempting to login. [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta). Currently, label selectors with `matchExpressions` are not supported. To use label selectors, **Vault must have permission to read namespaces** on the Kubernetes cluster. If set with `bound_service_account_namespaces`, the conditions are `OR`ed. -- `audience` `(string: "")` - Audience claim to verify in the JWT. +- `audience` `(string: "")` - Audience claim to verify in the JWT. If you leave + `audience` unset, Vault logs a warning about setting an explicit audience + configuration to encourage better security practices. Note: the log entry for + early versions of Vault 1.20.x falsely indicate that `audience` is required in + Vault 1.21.x. You can safely ignore that portion of the warning. - `alias_name_source` `(string: "serviceaccount_uid")` - Configures how identity aliases are generated. Valid choices are: `serviceaccount_uid` and `serviceaccount_name`. diff --git a/content/vault/v1.20.x/content/docs/updates/important-changes.mdx b/content/vault/v1.20.x/content/docs/updates/important-changes.mdx index 97d0ccbdaf..2bcddec032 100644 --- a/content/vault/v1.20.x/content/docs/updates/important-changes.mdx +++ b/content/vault/v1.20.x/content/docs/updates/important-changes.mdx @@ -204,6 +204,13 @@ to the official [Snowflake documentation](https://docs.snowflake.com/en/user-gui Vault logs a warning when you create or update a Kubernetes auth role without an audience. + + We have no plans to require audience definition in future Vault versions. + Log messages in earlier versions of 1.20.x incorrectly mention that Vault + 1.21.x requires audience configuration. You can safely ignore that portion of + the log message. + + #### Recommendation There are cases where configuring audience details can interfere with your From 644ed0fcfebcc3279cc7d2c75e45c97ce045fea2 Mon Sep 17 00:00:00 2001 From: Sarah Chavis <62406755+schavis@users.noreply.github.com> Date: Thu, 30 Oct 2025 15:37:45 -0700 Subject: [PATCH 2/2] tweak sentence --- content/vault/v1.20.x/content/api-docs/auth/kubernetes.mdx | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/vault/v1.20.x/content/api-docs/auth/kubernetes.mdx b/content/vault/v1.20.x/content/api-docs/auth/kubernetes.mdx index 4ac5c7e7d5..1d5f6b0760 100644 --- a/content/vault/v1.20.x/content/api-docs/auth/kubernetes.mdx +++ b/content/vault/v1.20.x/content/api-docs/auth/kubernetes.mdx @@ -149,8 +149,9 @@ entities attempting to login. - `audience` `(string: "")` - Audience claim to verify in the JWT. If you leave `audience` unset, Vault logs a warning about setting an explicit audience configuration to encourage better security practices. Note: the log entry for - early versions of Vault 1.20.x falsely indicate that `audience` is required in - Vault 1.21.x. You can safely ignore that portion of the warning. + early versions of Vault 1.20.x falsely indicates that `audience` becomes a + required field in Vault 1.21.x. You can safely ignore that portion of the + warning. - `alias_name_source` `(string: "serviceaccount_uid")` - Configures how identity aliases are generated. Valid choices are: `serviceaccount_uid` and `serviceaccount_name`.