Vault 1.1: Secret Caching with Vault Agent and Other New Features

In Vault 1.0, users saw the open source launch of auto-unseal and the introduction of batch tokens, along with improved performance. Being a landmark "1.0" release also meant feature completeness, ecosystem integration, security hardening, and enterprise-readiness.

Vault 1.1 begins a new core mission to build a foundation of new infrastructure for delivering various advanced platform features. In 1.1, advanced features for improved workflows and scaling were introduced. Three of the primary features include:

• Secret Caching with Vault Agent: Securely cache secrets for easy access to applications and edge services.
• OIDC Auth Flow: Enable new authentication methods such as authenticating to Vault via OpenID Connect.
• Transit Auto-Unseal: Auto-Unseal a Vault cluster from a separate Vault cluster via transit encryption.

In this webinar, Vault Core Developer Nick Cabatoff provides introductions to all of these features along with three demos to showcase each one.

Outline

0:00 — Overview of Vault 1.1 New Features

3:13 — OIDC-based Authentication

6:08 — Demo: AuthO OIDC

See additional tutorial on HashiCorp Learn: OIDC with Auth0

15:29 — Vault Agent Caching

21:23 — Demo: Agent Cache

See additional tutorial on HashiCorp Learn: Vault agent caching

26:34 — Transit Auto-Unseal Provider

29:47 — Demo: Transit Auto-Unseal

See additional tutorial on HashiCorp Learn: Transit Auto-unseal

32:56 — Q&A

All of the demos for this webinar can be found in this GitHub repo

Q&A

• Will the OIDC feature support conditional access? e.g. different rights based on how someone/something authenticated?
• Is the id token is signed?
• Why do we need the sink file when we enable Vault Agent cache? Can vault_token be handled in memory by the Agent instead of the sink file?
• Are there any plans to bring caching to the K/V store?
• Can we enable transit auto-unseal without having to re-issue the current shards?

Slides