HashiCorp Vault 0.8.3
We are pleased to announce the release of HashiCorp Vault 0.8.3. Vault provides security teams and infrastructure operators with secrets management solutions, encryption as a service, and privileged access enforcement. The highlight of the latest release is a Kubernetes authentication backend. For Vault Enterprise, we are also releasing an integration with Sentinel, HashiCorp's policy as code framework announced at HashiConf.
Features introduced in this release include:
- Kubernetes Auth Backend
- Sentinel policy as code integration
The release also includes additional enhancements to MFA and PKI, as well as bug fixes.
» Kubernetes Auth Backend
Vault 0.8.3 introduces native Kubernetes auth backend that allows Kubernetes pods to directly receive and use Vault auth tokens without additional integration components.
Prior to 0.8.3, a user accessing Vault via a pod required significant preparation work using an init pod or other custom interface. With the release of the Kubernetes auth backend, Vault now provides a production-ready interface for Kubernetes that allows a pod to authenticate with Vault via a JWT token from a pod’s service account.
View the documentation for more information on the Kubernetes auth backend.
For more information on the collaboration between Google and HashiCorp Vault, check out “Secret and infrastructure management made easy with HashiCorp and Google Cloud” and “Authenticating to Hashicorp Vault using GCE Signed Metadata” published by Google.
» Multi-factor Authentication Improvements
We have expanded MFA capabilities within Vault, with identity metadata now available in the username format. Additionally, Okta MFA providers may now configure custom base_url
variables for API calls.
» PKI Improvements
We have also expanded Vault PKI capabilities; Sign Intermediate will now allow specifying a TTL value longer than the signing CA certificate's NotAfter
value, allowing for flexible policy management for Vault-distributed certificates.
» Sentinel Policy Integration (Beta Functionality)
Note: This is a Vault Enterprise Premium feature.
We recently announced a new policy as code framework, Sentinel, to enable fine-grained, logic-based policy decisions that can be extended to source external information. This is an important part of creating and enforcing security constraints for infrastructure automation across a company. This release integrates Sentinel policies with Vault’s secret infrastructure in order to provide more control and depth to Vault's security model and policy system, while enforcing security and best practices requirements.
Sentinel policies are enforced in two key areas:
-
Role-Governing Policies: Role-governing policies enforce Sentinel directives on all tokens created by Vault.
-
Endpoint-Governing Policies (EGPs): Endpoint Governing Policies (or EGPs) enforce Sentinel policies on specific endpoints and secret paths. This is designed to allow Sentinel to enforce secret-specific or workflow-specific (as in the case of Secret backends) policies on a specific set or type of secrets within Vault. They have access to as much request information as possible and can take effect even on unauthenticated paths, such as login paths.
For more information on Sentinel, see the Sentinel documentation.
For a full list of changes, check out the Vault 0.8.3 changelog.
» Upgrade Notes
As always, please test in an isolated environment before upgrading and follow Vault's Upgrade Guide.
For more information on changes, see the full Vault 0.8.3 changelog.
Thank you again to the Vault community for their ideas, bug reports, and pull requests!
To download the latest release go to vaultproject.io/downloads.html. For those interested in learning more about HashiCorp Vault Enterprise, visit hashicorp.com/products/vault/.
Sign up for the latest HashiCorp news
More blog posts like this one
Fix the developers vs. security conflict by shifting further left
Resolve the friction between dev and security teams with platform-led workflows that make cloud security seamless and scalable.
HashiCorp at AWS re:Invent: Your blueprint to cloud success
If you’re attending AWS re:Invent in Las Vegas, Dec. 2 - Dec. 6th, visit us for breakout sessions, expert talks, and product demos to learn how to take a unified approach to Infrastructure and Security Lifecycle Management.
HCP Vault Secrets adds enterprise capabilities for auto-rotation, dynamic secrets, and more
HCP Vault Secrets focuses on making a fast and easy path for secure development with key new features including auto-rotation (GA), dynamic secrets (beta), a new secret sync destination, and more.