»Overview

This page contains the list of deprecations and important or breaking changes for Vault 1.4.1 compared to 1.4.0. Please read it carefully.

»AWS Auth Metadata

The metadata handling for AWS Auth logins has changed:

The default set of metadata fields has been changed to account_id and auth_type. If your application relies on fields that were removed, they may be added back via the AWS Auth identity configuration endpoint (see example below).

»Known Issues

The AWS metadata changes have caused an issue preventing renewal of tokens issued via AWS Auth. This has been fixed in Vault 1.4.2. The issue may be addressed in Vault 1.4.1 by configuring the required metadata explicitly:

vault write auth/aws/config/identity \
  ec2_metadata=account_id,auth_type,instance_id,region \
  iam_metadata=account_id,auth_type,client_user_id,canonical_arn,inferred_entity_id,inferred_aws_region

vault write auth/aws/config/identity \  ec2_metadata=account_id,auth_type,instance_id,region \  iam_metadata=account_id,auth_type,client_user_id,canonical_arn,inferred_entity_id,inferred_aws_region

»LDAP auth engine and upndomain

Users of the LDAP auth engine with the upndomain configuration setting populated should hold off on upgrading to 1.4.x for now. We are investigating a regression introduced by #8333. There is no Github issue for this bug yet.