Vault
Deprecation notices
Vault implements a multi-phased approach to deprecations to provide users with advanced warning, minimize business disruptions, and allow for the safe handling of data affected by a feature removal.
Have questions?
If you have questions or concerns about a deprecated feature, please create a topic on the Vault community forum or raise a ticket with your support team.
Deprecations
Enterprise
The Vault Support Team can provide limited help with a deprecated feature. Limited support includes troubleshooting solutions and workarounds but does not include software patches or bug fixes. Refer to the HashiCorp Support Policy for more information on the product support timeline.
Snowflake DB password authentication
| Announced | Expected end of support | Expected removal |
|---|---|---|
| APR 2025 | NOV 2025 | NOV 2025 |
Snowflake plans to disable password authentication for all users in November of 2025.
As of Vault 1.20.x, the Snowflake database secrets engine supports key-pairs in place of passwords for root credentials.
Pending removal
Vault Agent API proxy
| Announced | Expected end of support | Expected removal |
|---|---|---|
| JUN 2023 | APR 2024 | CY26 Q2 |
Built-in API proxy support for Vault Agent is deprecated. We recommend migrating to Vault Proxy if you require proxy functionality.
Duplicate HCL attributes
| Announced | Expected end of support | Expected removal |
|---|---|---|
| JUN 2025 | OCT 2025 | N/A |
The ability to duplicate attributes in HCL configuration files and policy definitions is deprecated.
To find affected policies, look for "policy contains duplicate attributes" warnings in the server logs. Once we remove support for duplicate attributes, you cannot interact with affected policies. For example, Vault will return an error if you try to create a token referencing an affected policy or use an existing token that references the policy.
The Vault CLI now checks provided configuration files to determine if the file is subject to the duplicate parameter deprecation and returns a warning about the issue.
Exact-match list comparison on allowed_parameters and denied_parameters
| Announced | Expected end of support | Expected removal |
|---|---|---|
| OCT 2025 | OCT 2025 | APR 2026 |
The behavior of allowed_parameters and denied_parameters policy rules when
evaluating list-type request parameters is changing in Vault v1.21.0. During the
deprecation period the environment variable VAULT_LEGACY_EXACT_MATCHING_ON_LIST
can be set to revert to the legacy behavior.
Refer to list parameter evaluation for more information on the behavior change.
Removed
Ruby client libraries
| Announced | Expected end of support | Expected removal |
|---|---|---|
| APR 2024 | APR 2025 | N/A |
If you are interested in assuming ownership and providing future maintenance:
- Fork the relevant GitHub repo: hashicorp/vault-ruby or hashicorp/vault-rails.
- Open a GitHub issue in the relevant repo, mention the deprecation notice, and indicate your desire to take over the project.
We are currently assessing the relevant repos
Once we have reviewed the relevant repos and the issues submitted for ownership, we will update the information for our community-supported libraries.
AWS secrets engine field change
| Announced | Expected end of support | Expected removal |
|---|---|---|
| APR 2024 | N/A | N/A |
The security_token field returned for AssumeRole and FederationToken
credentials is deprecated in favor of session_token.
For more information, consult the AWS secrets engine API documentation.
Centrify auth method
| Announced | Expected end of support | Expected removal |
|---|---|---|
| SEP 2023 | CY24 Q2 | CY24 Q2 |
Vault no longer provides official support for the Centrify auth method plugin.
Active Directory secrets engine
| Announced | Expected end of support | Expected removal |
|---|---|---|
| MAR 2023 | CY24 Q3 | CY25 Q1 |
We no longer support the Active Directory secrets engine.
Duplicative Docker images
| Announced | Expected end of support | Expected removal |
|---|---|---|
| OCT 2022 | MAR 2023 | JUN 2023 |
Previously, HashiCorp published and updated separate, identical Docker images of
Vault as a Verified Publisher image and Official image. As of v1.12, Vault no
longer supports the vault Docker image and will remove all
duplicative Vault Docker images. To continue
receiving updates, you will need to use the
Verified Publisher
hashicorp/vault image on
DockerHub.
Include the version when pulling images
Use docker pull hashicorp/vault:<version> instead of
docker pull vault:version to get newer versions of Vault in Docker images.
Azure secrets password policy
| Announced | Expected end of support | Expected removal |
|---|---|---|
| N/A | APR 2024 | N/A |
The password_policy field for the Azure secrets plugin is deprecated. The
MS Graph API now returns passwords to the client rather than accepting
passwords as part of the request. As a result, the password_policy field is
unusable.
For more information, consult the Microsoft documentation for MS GRAPH APP API and MS GRAPH SP API.
Internal counters tokens API
| Announced | Expected end of support | Expected removal |
|---|---|---|
| MAY 2025 | MAY 2025 | MAY 2025 |
Vault no longer supports the /sys/internal/counters/tokens endpoint, which
returned the number of tokens that were used a Vault cluster.
Deprecation phases
The lifecycle of a Vault feature or plugin includes 4 phases:
- supported - generally available (GA), functioning as expected, and under active maintenance
- deprecated - marked for removal in a future release
- pending removal - support ended or replaced by another feature
- removed - end of lifecycle
Deprecated
"Deprecated" is the first phase of the deprecation process and indicates that the feature is marked for removal in a future release. When you upgrade Vault, newly deprecated features will begin alerting that the feature is deprecated:
- Built-in authentication and secrets plugins log
Warn-level messages on unseal. - All deprecated features log
Warn-level messages. - All
POST,GET, andLISTendpoints associated with the feature return warnings in response data.
Built-in Vault authentication and secrets plugins also expose their deprecation status through the Vault CLI and Vault API.
| CLI command | API endpoint |
|---|---|
| N/A | /sys/plugins/catalog |
vault plugin info auth <PLUGIN_NAME> | /sys/plugins/catalog/auth/:name |
vault plugin info secret <PLUGIN_NAME> | /sys/plugins/catalog/secret/:name |
Pending removal
"Pending removal" is the second phase of the deprecation process and indicates that the feature behavior is fundamentally altered in the following ways:
- Built-in authentication and secrets plugins log
Error-level messages and cause an immediate shutdown of the Vault core. - All features pending removal fail and log
Error-level messages. - All CLI commands and API endpoints associated with the feature fail and return errors.
Use with caution
In critical situations, you may be able to override the pending removal behavior with the
VAULT_ALLOW_PENDING_REMOVAL_MOUNTS
environment variable, which forces Vault to treat some features that are pending
removal as if they were still only deprecated.
Removed
"Removed" is the last phase of the deprecation process and indicates that the feature is no longer supported and no longer exists within Vault.
Migrate from deprecated features
Features in the "pending removal" and "removed" phases will fail, log errors, and, for built-in authentication or secret plugins, cause an immediate shutdown of the Vault core.
Migrate away from a deprecated feature and successfully upgrade to newer Vault versions, you must eliminate the deprecated features:
- Downgrade Vault to a previous version if necessary.
- Replace any "Removed" or "Pending removal" feature with the recommended alternative.
- Upgrade to latest desired version.