HashiCorp Vault 1.8 helps spot server setup issues

Vault 1.8

Version 1.8 of secret management tool HashiCorp Vault is now generally available. The update is the first to sport Vault Diagnose, which has been added to help users get to the core of Vault server downtimes or booting failures.

In those cases, using the command vault operator diagnose is said to provide a clear description of why Vault can’t serve requests, but also inform ops personnel about unsafe configs and statuses. The latter is especially important, since misconfigurations are behind a good chunk of severity 1 and 2 support cases HashiCorp has to deal with — as Vault engineer Hridoy Roy pointed out in a recent office hour.

Starting with Vault 1.8, the tool is also able to issue credentials for pre-created GCP Service Accounts, since not all environments allow for automated tools to access the necessary permissions. The integrated expiration manager has been slightly reworked, so that it should have stopped trying to revoke leases that can’t be revoked, cleans up older irrevocable leases, and offers reporting via CLI and API.

Another area of major improvement is the UI which, among other things, now validates more input, sports descriptions for authentication methods on the login page, obscures secret input values, and lets users know if unsealing has failed due to license issues.

Vault Enterprise users should note that the recommended mechanism for managing licenses is now License Autoloading via the license_path in the configuration file, or environment variables VAULT_LICENSE_PATH or VAULT_LICENSE. The old management options via binary or the PUT sys/license API work for old clusters but are deprecated with this release, which in turn means new clusters require autoloading to work.

On the feature front, Vault Enterprise now allows having a separate Storage Autopilot configuration for disaster recovery secondary clusters, which can be managed independently. Additional Control Group functionality in v1.8 can be used to trigger Control Group approval on a subset, rather than on all operations on a path. Enterprise customers also get to use Vault to manage keys in AWS’s Key Management Service, and automate lifecycle operations like the creation and rotation of keys.

Earlier this month, HashiCorp CTO and co-founder Mitchell Hashimoto announced his transition into an individual contributor role. The change has apparently been planned for quite some years, and coincides with Hashimoto stepping down from the company board. In his new role, he plans to focus on engineering again — working on specific products or “exploring other ideas within HashiCorp”.