Identities for all: Vault 1.9 takes steps towards becoming an OIDC provider

Vault 1.9

HashiCorp has pushed out version 1.9 of its secret management tool Vault. The update features predominantly client count and data protection module improvements, but also includes two technical previews, one of which turns Vault into an OpenID Connect provider.

The functionality needed for the latter is built on top of the identity secrets engine, and will allow applications to use Vault identities for authentication and authorisation purposes. In its current form, the OIDC provider preview only implements the authorisation code flow — though more functionality is likely to follow as HashiCorp finalises the OIDC provider system and the accompanying HTTP API.

The second technical preview, meanwhile, fits Vault with a patch operations feature for its KV Secrets engine, which enables the tool to perform partial updates on KV v2 secrets without reading its data contents. There’s now also a metadata endpoint so that teams can set version-agnostic custom key metadata for KV v2 secrets, which are then visible in the UI.

In order to make the tracking and identifying of client attributions easier, the client count feature has been reworked and contains logic to de-duplicate non-entity tokens and create entities for local authentication mounts to reduce their impact. Client counts themselves are now displayed per namespace in the usage metrics UI, though data for all namespaces can be exported, and clients are shown within ten minutes of computation initiation.

Other than that, Vault has learned to run on the IBM s390X CPU architecture, and includes ways to configure custom response headers to the HTTP root path and API endpoints, as well as set up distinct usernames for database dynamic credentials to simplify handling.

Users working with Vault Enterprise are provided with capabilities to manage encryption keys for Transparent Data Encryption on Microsoft SQL servers, and additional I/O formatting options when working with the Format Preserving Encryption (FPE) feature of ADP Transform. They also have the chance to restrict API access to a specific namespace using new commands vault namespace lock and vault namespace unlock, and manage keys on Google Cloud, since the KMS Engine for GCP has been announced ready for production.

Vault’s user interface received some changes as part of the update as well and now displays additional PKI certificate metadata, such as the date of issue and expiry, and supports using database secrets engines for Oracle, Elasticsearch, and PostgreSQL.

Upgrading should be relatively straightforward. However, teams who have integrated calls to the internal HTTP Request count API for some reason will have to think of something else — the interface isn’t available anymore starting with Vault 1.9. Those still using v2 of the etcd API in combination with Vault should prepare to migrate to v3, as support has been deprecated and the feature will be removed with the 1.10 release. 

More information is available in the Vault documentation.