A new platform for documentation and tutorials is launching soon.
We are migrating Vault documentation into HashiCorp Developer, our new developer experience.
This page contains the list of deprecations and important or breaking changes for Vault 0.9.1 compared to 0.9.0. Please read it carefully.
»AppRole Case Sensitivity
In prior versions of Vault,
list operations against AppRole roles would
require preserving case in the role name, even though most other operations
within AppRole are case-insensitive with respect to the role name. This has
been fixed; existing roles will behave as they have in the past, but new roles
will act case-insensitively in these cases.
»Token Auth Backend Roles Parameter Types
disallowed_policies in role definitions in the
token auth backend, input can now be a comma-separated string or an array of
strings. Reading a role will now return arrays for these parameters.
»Transit Key Exporting
You can now mark a key in the
transit backend as
exportable at any time,
rather than just at creation time; however, once this value is set, it still
cannot be unset.
»PKI Secret Backend Roles Parameter Types
key_usage in role definitions in the PKI secret
backend, input can now be a comma-separated string or an array of strings.
Reading a role will now return arrays for these parameters.
»SSH Dynamic Keys Method Defaults to 2048-bit Keys
When using the dynamic key method in the SSH backend, the default is now to use 2048-bit keys if no specific key bit size is specified.
»Consul Secret Backend Lease Handling
consul secret backend can now accept both strings and integer numbers of
seconds for its lease value. The value returned on a role read will be an
integer number of seconds instead of a human-friendly string.
»Unprintable Characters Not Allowed in API Paths
Unprintable characters are no longer allowed in names in the API (paths and path parameters), with an extra restriction on whitespace characters. Allowed characters are those that are considered printable by Unicode plus spaces.