The Vault website is being redesigned to help you find what you are looking for more effectively.
»Feature Deprecation Notice and Plans
This announcement page is maintained and updated periodically to communicate important decisions made concerning End of Support(EoS) for Vault features as well as features we have removed or disabled from the product. We document the removal of features, enable the community with a plan and timeline for eventual deprecations, and supply alternative paths to explore and evaluate to minimize business disruptions. If you have questions or concerns about a deprecated feature, please create a topic on the community forum or raise a ticket with your support team. Please refer to the FAQ page for frequently asked questions concerning Vault feature deprecations.
Deprecation Announcement: This indicates the release version during which the announcement was made to deprecate a feature.
End of Support: This indicates when a deprecated feature becomes unsupported. Consult the table below and consider the timeline provided to upgrade. If you use Vault Enterprise and require help with a deprecated feature, the Vault Support Team will provide limited support. However, we will not provide software patches or bug fixes. Refer to the HashiCorp Support Policy to understand our product support timeline.
Feature Removal: This indicates that the feature is completely removed/disabled from the product.
Note: All specified targeted version announcements for End of Support and Feature Removal may be subject to change.
| Feature | Deprecation announcement | End of Support | Feature Removal | Migration Path/Impact | Resources |
|---|---|---|---|---|---|
| Etcd V2 API (OSS) | v1.9 | N/A | v1.10 | The Etcd v2 has been deprecated with the release of Etcd v3.5, and will be decomissioned by Etcd v3.6. Etcd v2 API has been removed in Vaut 1.10. Users of Etcd storage backend must migrate Vault storage to an Etcd V3 cluster prior to upgrading to Vault 1.10. All storage migrations should be backed up prior to migration. | Etcd Storage Backend |
| Licenses in storage (ENT) | v1.8 | v1.10 | v1.11 | Migrate to Autoloading by v1.11. | Vault License System Backend FAQ |
| Mount Filters (ENT) | v1.3 | v1.10 | v1.11 | Use the alternative feature: Path Filters. | API Deprecation Notice Filter Mount Replication Deprecation Notice |
| Legacy MFA (OSS) | v1.0 | N/A | v1.11 | Based on your use case, use the Policy-based Enterprise MFA or Login MFA supported in Vault OSS as of v1.10. | Multi-Factor Authentication |
| *Standalone DB Engines (OSS) | v0.8 | N/A | v1.13 | Use the alternative DB secrets engine feature. | DB secrets engine |
| *AppID (OSS) | v0.6 | N/A | v1.13 | Use the alternative feature: AppRole auth method. | AppID Auth Method Deprecation Notice |
| AAD Graph on Azure Secrets Engine | v1.10 | 1.11 | v1.12 | Microsoft will end its support of the AAD Graph API on June 30, 2022. Support for Microsoft Graph API was introduced in Vault 1.9. If your Vault deployment is on a prior release, you may use the Azure Secrets Engine as an external plugin while you plan to upgrade. | AAD (Azure Active Directory |
Optional api_token parameter in Okta Auth Method | v1.4 | 1.11 | v1.12 | The api_token parameter on the Okta Auth Method will change from being optional to being required. | API Documentation |
| SHA-1 certificate signing | v1.11 | v1.11 | v1.12 | Go version 1.18 removes support for SHA-1 by default. As Vault updates its Go version to 1.18, you should plan to move off SHA-1 for certficate signing. Operators can set a Go environmental variable to restore SHA-1 support if they need to continue using SHA-1. It is unknown at this time when Go will remove the environmental variable support (current projection is removal in Go 1.19). Therefore, we highly encourage you to migrate off of SHA-1 for certificate signing before Vault adopts Go 1.19. | FAQ |
| Consul secrets engine parameter changes | v1.11 | N/A | N/A | The policies parameter on the Consul secrets engine has been changed in favor of consul_policies. The token_type and policy parameters have been deprecated as the latest versions of Consul no longer support the older ACL system they were used for. | Consul secrets engine API documentation |
*If you use Standalone DB Engines or AppID (OSS), you should actively plan to migrate away from their usage. If you use these features and upgrade to Release 1.12, Vault will log error messages and shut down, and any attempts to add new mounts will result in an error. If you are still using these deprecated features and attempt to upgrade to 1.13 (the target feature removal timeframe), you will not be able to start up Vault without downgrading and migrating away from these features.
