vault

Update docker.io/hashicorp/vault Docker tag to v1.21.0

Michi Kofler-Häusler

Michi Kofler-Häusler

12 min read
Update docker.io/hashicorp/vault Docker tag to v1.21.0
Photo by Stefan Steinbauer / Unsplash

No problems upgrading the Hashicorp Vault Docker container with a Docker compose yaml file within Portainer and by means of Portainer DevOps resp. GitOps with dependency update facilitated by Mend's Renovate Bot.

This MR contains the following updates:

Package Update Change
docker.io/hashicorp/vault minor 1.20.4 -> 1.21.0

Release Notes

hashicorp/vault (docker.io/hashicorp/vault)

v1.21.0

Compare Source

October 22, 2025

SECURITY:

  • auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client
  • auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled.
  • core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-wjrx-6529-hcj3.
  • core: Update github.com/ulikunitz/xz to fix security vulnerability GHSA-25xm-hr59-7c27.
  • ui: disable scarf analytics for ui builds

CHANGES:

  • Secrets Recovery (enterprise): Deprecate the recover_snapshot_id query parameter to pass the snapshot ID for recover operations, in favor of a X-Vault-Recover-Snapshot-Id header. Vault will still accept the query parameter for backward compatibility. Also support setting the HTTP method to RECOVER for recover operations, in addition to POST and PUT.
  • activity: Renamed timestamp in export API response to token_creation_time.
  • auth/alicloud: Update plugin to v0.22.0
  • auth/azure: Update plugin to v0.22.0
  • auth/cf: Update plugin to v0.22.0
  • auth/gcp: Update plugin to v0.22.0
  • auth/jwt: Update plugin to v0.25.0
  • auth/kerberos: Update plugin to v0.16.0
  • auth/kubernetes: Update plugin to v0.23.0
  • auth/oci: Update plugin to v0.20.0
  • auth/saml: Update plugin to v0.7.0
  • core: Updates post-install script to print updated license information
  • database/couchbase: Update plugin to v0.15.0
  • database/elasticsearch: Update plugin to v0.19.0
  • database/mongodbatlas: Update plugin to v0.16.0
  • database/redis-elasticache: Update plugin to v0.8.0
  • database/redis: Update plugin to v0.7.0
  • database/snowflake: Update plugin to v0.15.0
  • http: Add JSON configurable limits to HTTP handling for JSON payloads: max_json_depth, max_json_string_value_length, max_json_object_entry_count, max_json_array_element_count.
  • http: Evaluate rate limit quotas before checking JSON limits during request handling.
  • policies: change list comparison to allowed_parameters and denied_parameters from "exact match" to "contains all"
  • sdk: Upgrade to go-secure-stdlib/plugincontainer@​v0.4.2, which also bumps github.com/docker/docker to v28.3.3+incompatible
  • secrets/alicloud: Update plugin to v0.21.0
  • secrets/azure: Update azure enterprise secrets plugin to include static roles.
  • secrets/azure: Update plugin to v0.23.0
  • secrets/gcp: Update plugin to v0.23.0
  • secrets/kubernetes: Update plugin to v0.12.0
  • secrets/kv: Update plugin to v0.25.0
  • secrets/mongodbatlas: Update plugin to v0.16.0
  • secrets/openldap: Update plugin to v0.17.0
  • secrets/terraform: Update plugin to v0.13.0
  • ui/client-counts: removes tabs for each client count type and adds split view for counts per type in overview stacked bar chart
  • ui: Add client count attribution for the full billing period to the client counts overview table
  • ui: Remove namespace context filter for activity in client count dashboard

FEATURES:

  • AES-CBC in Transit (Enterprise): Add support for encryption and decryption with AES-CBC in the Transit Secrets Engine.
  • KV v2 Version Attribution: Vault now includes attribution metadata for
    versioned KV secrets. This allows lookup of attribution information for each
    version of KV v2 secrets from CLI and API.
  • Login MFA TOTP Self-Enrollment (Enterprise): Simplify creation of login MFA TOTP credentials for users, allowing them to self-enroll MFA TOTP using a QR code (TOTP secret) generated during login. The new functionality is configurable on the TOTP login MFA method configuration screen and via the enable_self_enrollment parameter in the API.
  • Plugin Downloads: Support automatically downloading official HashiCorp secret and auth plugins from releases.hashicorp.com (beta)
  • Post-Quantum Cryptography Support: Experimental support for PQC signatures with ML-DSA in Transit.
  • Post-Quantum Cryptography Support: Experimental support for PQC signatures with SLH-DSA in Transit.
  • SPIFFE Authentication Plugin (enterprise): Add support to authenticate to Vault using JWT and x509 based SPIFFE IDs.
  • **SSH Key Signing Improvements ** (Enterprise): Add support for using managed keys to sign SSH keys in the SSH secrets engine.
  • Secret Recovery from Snapshot (enterprise): Adds a framework to load an integrated storage snapshot into Vault and read, list, and recover KV v1 and cubbyhole secrets from the snapshot.
  • UI Client List Explorer (Enterprise): Adds ability to view and filter client IDs and metadata by namespace, mount path, or mount type for a billing period.
  • UI Secrets Recovery (Enterprise): Allows end users to recover single KV v1 secrets, Cubbyhole secrets, or Database static roles from a loaded snapshot if the secrets were changed or deleted in error. Automatic snapshot configurations can now automatically load the snapshot to Vault itself, making it available for recovery. Snapshot management permissions are separated from recovery permissions so that recovery operations can be delegated but controlled.
  • UI: Secret Engine Tune Support: Add support for updating secret engine mount configuration via the Tune endpoint
  • Vault PKI SCEP Server (Enterprise): Support for the Simple Certificate Enrollment Protocol (SCEP) has been added to the Vault PKI Plugin. This allows standard SCEP clients to request certificates from a Vault server with no knowledge of Vault APIs.

IMPROVEMENTS:

  • ui/activity: Updates running total stats to be displayed via a donut chart.
  • Plugin Downloads (enterprise): add CLI -download option for plugin register (beta)
  • Raft: Auto-join will now allow you to enforce IPv4 on networks that allow IPv6 and dual-stack enablement, which is on by default in certain regions.
  • Secrets Recovery (enterprise): Support recovering items from a snapshot to a new path in the live cluster. By calling the vault recover command with a -from flag, users can specify the path of the item in the snapshot.
  • Secrets Sync (enterprise): add enterprise_url field to enable support for self-hosted GitHub Enterprise Server instances.
  • activity (enterprise): Add a cumulative namespace client count API at sys/internal/counters/activity/cumulative. For each namespace in the response it returns the sum of its own client counts and that of all its child namespaces.
  • activity: The activity export API response now includes a new timestamp that denotes the first time the client was used within the specified query period.
  • api (sys/utilization-report): Added namespace filter and more granularity for secret sync data in the response.
  • api: Add new logical client request interfaces for read, write, delete, list operations.
  • audit: Add additional verifications to the target of file audit sinks.
  • auth/approle (enterprise): Add ability to specify custom alias metadata via new role creation parameter alias_metadata.
  • auth/aws (enterprise): Add ability to specify custom alias metadata via new role creation parameter alias_metadata.
  • auth/cert (enterprise): Add ability to specify custom alias metadata via new CA certificate role creation parameter alias_metadata.
  • auth/cert: Add allowed_organizations support
  • auth/cert: Support RFC 9440 colon-wrapped Base64 certificates in x_forwarded_for_client_cert_header, to fix TLS certificate auth errors with Google Cloud Application Load Balancer.
  • auth/cert: test non-CA cert equality on login matching instead of individual fields.
  • auth/github (enterprise): Add ability to specify custom alias metadata via new configuration parameter alias_metadata.
  • auth/ldap (enterprise): Add ability to specify custom alias metadata via new role configuration parameter alias_metadata.
  • auth/ldap: Introduces an option to connect to an alternative LDAP URL for root credential rotation, in cases where it differs from the configured LDAP URL.
  • auth/ldap: add explicit logging to rotations in ldap
  • auth/okta (enterprise): Add ability to specify custom alias metadata via new role configuration parameter alias_metadata.
  • auth/radius (enterprise): Add ability to specify custom alias metadata via new role configuration parameter alias_metadata.
  • auth/scep (enterprise): Add ability to specify custom alias metadata via new role creation parameter alias_metadata.
  • auth/userpass (enterprise): Add ability to specify custom alias metadata via new user creation parameter alias_metadata.
  • cli (enterprise): Add a -force flag to vault operator raft snapshot unload command to force deletion of a loaded snapshot.
  • core (enterprise): Allow setting of an entropy source on password generation
    policies, and with it the selection of "seal" to use entropy augmentation.
  • core (enterprise): add ability to get time remaining until rotation from rotation manager
  • core (enterprise): add support for new pki-only license feature
  • core (enterprise): improve rotation manager logging to include specific lines for rotation success and failure
  • core/metrics: Reading and listing from a snapshot are now tracked via the vault.route.read-snapshot.{mount_point} and vault.route.list-snapshot.{mount_point} metrics.
  • core/snapshot-load (enterprise): Add a force query parameter to the DELETE sys/storage/raft/snapshot-load/{snapshot_id} endpoint to allow for forced deletion of snapshots. This is useful when the snapshot is in a state that prevents normal deletion, such as being in the process of loading.
  • license utilization reporting (enterprise): Add metrics for the number of issued PKI certificates.
  • openapi: Add OpenAPI support for secret recovery operations.
  • openapi: Add openapi response definitions to sys/internal/counters/activity/* endpoints.
  • plugins: Clarify usage of sha256, command, and version for plugin registration of binary or artifact with API and CLI. Introduce new RegisterPluginDetailed and RegisterPluginWtihContextDetailed functions to API client to propagate response along with error, and mark RegisterPlugin and RegisterPluginWithContext as deprecated.
  • proxy/cache (enterprise): Vault Proxy will now use vault_index on events to be able to update cached static secrets from performance secondaries without needing to be forwarded. This will take precedence over attempting to forward the request to the primary.
  • sdk: add stub code for retrieving rotation schedule information
  • secrets/database (enterprise): Add support for reading, listing, and recovering static roles from a loaded snapshot. Also add support for reading static credentials from a loaded snapshot.
  • secrets/database: Add PSC support for GCP CloudSQL MySQL and Postgresql
  • secrets/database: Add PrivateIP support for MySQL
  • secrets/database: Add root rotation support for Snowflake database secrets engines using key-pair credentials.
  • secrets/database: log password rotation success (info) and failure (error). Some relevant log lines have been updated to include "path" fields.
  • secrets/kmip (enterprise): Update various third party dependencies.
  • secrets/pki (enterprise): add integrations/guardium configuration endpoint.
  • secrets/pki (enterprise): add new batch/certs endpoint to allow multiple certificates to be fetched at once.
  • secrets/pki (enterprise): enable separately-configured logging for SCEP-enrollment.
  • secrets/pki: Add the digest OID when logging SCEP digest mismatch errors.
  • secrets/ssh: Add support for recovering the SSH plugin CA from a loaded snapshot (enterprise only).
  • secrets/transform (enterprise): Update various third party dependencies.
  • secrets/transit: add logging on both success and failure of key rotation
  • storage/raft (enterprise): Add autoload_enabled option to raft automated snapshot configurations. When enabled, this option will automatically load raft snapshots into Vault, which can then be used for recovery operations.
  • sys (enterprise): Add sys/billing/certificates API endpoint to retrieve the number of issued PKI certificates.
  • ui/activity (enterprise): Add clarifying text to explain the "Initial Usage" column will only have timestamps for clients initially used after upgrading to version 1.21
  • ui/activity (enterprise): Reduce requests to the activity export API by only fetching new data when the dashboard initially loads or is manually refreshed.
  • ui/activity (enterprise): Support filtering months dropdown by ISO timestamp or display value.
  • ui/activity: Adds filtering by month to the Client Count dashboard to link client counts to specific client IDs from the export API
  • ui/auth: the role field on the OIDC login form now auto-fills from the role URL query string parameter
  • ui/auth: the role field on the SAML login form now auto-fills from the role URL query string parameter
  • ui/secrets: Display the plugin version on the secret engine list view. Move KV's version to a tooltip that appears when hovering over the engine's name.
  • ui/secrets: Updated filters on secret engines list to sort by path, engine type and version
  • ui: Add namespace_path, mount_path and mount_type filters to attribution table
  • ui: Enhanced secret engine selection dynamically displays all available plugins from the plugin catalog.
  • ui: Format multiline API error messages to render as bulleted lists.
  • ui: Use the Helios Design System Code Block component for all readonly code editors and use its Code Editor component for all other code editors

DEPRECATIONS:

  • core: disallow usage of duplicate attributes in HCL configuration files and policy definitions, which were already deprecated. For now those errors can be suppressed back to warnings by setting the environment variable VAULT_ALLOW_PENDING_REMOVAL_DUPLICATE_HCL_ATTRIBUTES.

BUG FIXES:

  • activity (enterprise): Fix development_cluster setting being overwritten on performance secondaries upon cluster reload.
  • activity (enterprise): sys/internal/counters/activity outputs the correct mount type when called from a non root namespace
  • agent/template: Fixed issue where templates would not render correctly if namespaces was provided by config, and the namespace and mount path of the secret were the same.
  • auth/approle (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
  • auth/aws (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
  • auth/cert (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
  • auth/cert: Recover from partially populated caches of trusted certificates if one or more certificates fails to load.
  • auth/github (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
  • auth/ldap (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
  • auth/okta (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
  • auth/radius (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
  • auth/scep (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
  • auth/scep (enterprise): enforce the token_bound_cidrs role parameter within SCEP roles
  • auth/spiffe: Address an issue updating a role with overlapping workload_id_pattern values it previously contained.
  • auth/userpass (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
  • auth: fixed panic when supplying integer as a lease_id in renewal.
  • auth: update alias lookahead to respect username case for LDAP and username/password
  • auto-reporting (enterprise): Clarify debug logs to accurately reflect when automated license utilization reporting is enabled or disabled, especially since manual reporting is always initialized.
  • core (enterprise): Avoid duplicate seal rewrapping, and ensure that cluster secondaries rewrap after a seal migration.
  • core (enterprise): fix a bug where issuing a token in a namespace used root auth configuration instead of namespace auth configuration
  • core/activitylog (enterprise): Fix nil panic when trying reload census manager before activity log is setup.
  • core/metrics: Add service name prefix for core HA metrics to avoid duplicate, zero-value metrics.
  • core/seal (enterprise): Fix a bug that caused the seal rewrap process to abort in the presence of partially sealed entries.
  • core/seal: When Seal-HA is enabled, make it an error to persist the barrier keyring when not all seals are healthy. This prevents the possibility of failing to unseal when a different subset of seals are healthy than were healthy at last write.
  • core: Fixed issue where under certain circumstances the rotation manager would spawn goroutines indefinitely.
  • core: Role based quotas now work for cert auth
  • core: interpret all new rotation manager rotation_schedules as UTC to avoid inadvertent use of tz-local
  • core: resultant-acl now merges segment-wildcard (+) paths with existing prefix rules in glob_paths, so clients receive a complete view of glob-style permissions. This unblocks UI sidebar navigation checks and namespace access banners.
  • default-auth: Fix bug where listing default-auth configurations caused panic during auditing.
  • gcs: fix failed locking due to updated library error checks
  • identity/mfa: revert cache entry change from #​31217 and document cache entry values
  • kmip (enterprise): Fix a panic that can happen when a KMIP client makes a request before the Vault server has finished unsealing.
  • mongodb: fix mongodb connection issue when using TLS client + username/password authentication
  • plugins: Fix panics that can occur when a plugin audits a request or response before the Vault server has finished unsealing.
  • product usage reporting (enterprise): Clarify debug logs to accurately reflect when anonymous product usage reporting is enabled or disabled, especially since manual reporting is always initialized.
  • raft (enterprise): auto-join will now work in regions that do not support dual-stack
  • raft/autopilot: Fixes an issue with enterprise redundancy zones where, if the leader was in a redundancy zone and that leader becomes unavailable, the node would become an unzoned voter. This can artificially inflate the required number of nodes for quorum, leading to a situation where the cluster cannot recover if another leader subsequently becomes unavailable. Vault will now keep an unavailable node in its last known redundancy zone as a non-voter.
  • replication (enterprise): Fix bug where group updates fail when processed on a standby node in a MR secondary cluster.
  • replication (enterprise): Fix bug with mount invalidations consuming excessive memory.
  • secrets-sync (enterprise): GCP locational KMS keys are no longer incorrectly removed when the location name is all lowercase.
  • secrets-sync (enterprise): Unsyncing secret-key granularity associations will no longer give a misleading error about a failed unsync operation that did indeed succeed.
  • secrets/azure: Ensure proper installation of the Azure enterprise secrets plugin.
  • secrets/database/postgresql: Support for multiline statements in the rotation_statements field.
  • secrets/database: respect the escaping/disable_escaping state when using self-managed static roles
  • secrets/transit: Fix error when using ed25519 keys that were imported with derivation enabled
  • sentinel (enterprise): Fix a Sentinel bug, where the soft-mandatory policy override would not work in overriding request denial. Now, Vault correctly allows requests when the policy override flag is set. Previously, requests were denied even if an override was explicitly set. Error messaging for denied requests is now clearer and more actionable.
  • sys/mounts: enable unsetting allowed_response_headers
  • ui (enterprise): Fixes login form so input renders correctly when token is a preferred login method for a namespace.
  • ui: Fix DR secondary view from not loading/transitioning.
  • ui: Fix kv v2 overview page from erroring if a user does not have access to the /subkeys endpoint and the policy check fails.
  • ui: Fix page loading error when users navigate away from identity entities and groups list views.
  • ui: Fix regression in 1.20.0 to properly set namespace context for capabilities checks
  • ui: Fix selecting multiple namespaces in the namespace picker when the path contains matching nodes
  • ui: Fixes UI login settings list page which was not rendering rules with an underscore in the name.
  • ui: Include user's root namespace in the namespace picker if it's a namespace other than the actual root ("")
  • ui: Revert camelizing of parameters returned from sys/internal/ui/mounts so mount paths match serve value

Read more

Me on Mastodon - This link is here for verification purposes.