Changelog

The changelog format is based on Keep a Changelog.

This project uses Semantic Versioning - MAJOR.MINOR.PATCH

1.7.1.dev5+gfb270624d (2026-07-16)

Added

  • Added vault_approle execution, state and wrapper modules to manage and utilize the AppRole auth backend

  • Added vault_plugin execution, state and wrapper modules to manage plugins and pinned versions

1.7.0 (2026-07-08)

Fixed

  • Fixed SDB patch fallback when PATCH requests are not allowed

  • Fixed vault_db.creds_uncached clearing cached credentials with custom cache key when cache key was not specified

  • Fixed vault_db.static_role_present management of rotation_statements, which was not passed to Vault, but the failure was alerted about

  • Fixed vault_pki.certificate_managed deleting symlinks in test mode when follow_symlinks is explicitly set to false

  • Fixed an existing DB connection’s explicit plugin_version being reset when it was not specified in a call to vault_db.write_connection

  • Fixed autodetermination of unspecified cert_type in ssh_pki backend functionality

  • Fixed clearing cache when vault:cache:backend overrides Salt’s cache

  • Fixed exception in read_issuer_crl when issuer is missing - now returns None, as intended

  • Fixed merging of default_critical_options and default_extensions with overrides in ssh_pki backend

  • Fixed passing multiple entries of the same SAN type in vault_pki.(issue|sign)_certificate

  • Fixed reported failure in vault_ssh.role_present_otp when port was not set. The state application still worked.

  • Fixed reporting of multiple subject element changes in vault_pki.certificate_managed

  • Fixed revocation delay of leases with renew_increment set

  • Fixed the pillar module’s merge_lists being ignored when it was set to false and Salt’s pillar_merge_lists was enabled

  • Synchronized event format for vault/lease/*/expire between sources to ttl - ttl and ttl_left were both used before, depending on the source of the event

Added

  • Added read_certificate_full execution function to the vault_pki module, returning the certificate, its CA chain and miscellaneous information as a dictionary. #145

  • Added support for rendering identity templates in the ssh_pki backend, which fixes idempotency when default_extensions_template is enabled. This functionality requires an adjusted policy

1.6.0 (2026-05-20)

Fixed

  • Fixed SSH wrappers in 3008.x #149

  • Fixed issued AppRoles unnecessarily being rewritten when config or SecretID were requested by minions and a TTL configuration was set as a time string #151

Added

  • Added compatibility for vault_ssh to be used as the backend for the new ssh_pki.certificate_managed state introduced in Salt 3008, making stateful SSH certificate management using Vault-issued certificates possible on Salt 3008+ #138

1.5.0 (2026-03-09)

Fixed

  • Fixed vault_ssh.ca_(present|absent) in OpenBao

Added

  • Added official OpenBao support #139

1.4.0 (2026-02-15)

Changed

  • Marked some API methods using POST/PATCH requests as safe to retry by default since they are effectively idempotent #97

Fixed

  • Fixed handling of retry_after_max with urllib3 2.6.3, which introduced the same parameter and set its default to 6h. When retry_after_max is explicitly set to None, we default to 6h from now on too, otherwise the previous default of 60s applies. #130

  • Fixed SDB URI resolution in auth:token to make documented token-from-env behavior work #133

  • Fixed Vault client token lookups using an accessor. These lookups used the wrong API method (GET instead of POST)

Added

  • Added the ability to disallow non-impersonated authentication requests via issue:block_minion_requests, effectively limiting authentication credential issuance to the master only #109

  • Added SDB URI resolution for auth:role_id and auth:secret_id to achieve feature parity between auth methods #134

1.3.2 (2025-05-04)

Fixed

  • Fixed vault_pki.certificate_managed always recreating certificate with append_ca_chain=True #123

1.3.1 (2025-03-24)

Fixed

  • Fixed running vault.sync_approles on a fresh, empty mount #111

1.3.0 (2024-12-09)

Fixed

  • Fixed a crash when a templated field accesses an out-of-bounds list index

Added

  • When metadata that is written to Vault is templated using a list or dict, in addition to concatenating the values into a sorted comma-separated list, the master now additionally creates a separate suffixed key for each individual item #106

1.2.2 (2024-11-10)

Fixed

  • Fixed compatibility with master cluster mode #99

1.2.1 (2024-11-07)

Fixed

  • Fixed the client used for unwrapping authentication credentials not respecting client configuration when no cached configuration is available #95

v1.2.0 (2024-10-02)

Changed

  • Readded direct package dependency on cryptography

Fixed

  • Change unseal query to be always unauthenticated. #85

Added

  • Added support for credential orchestration in Salt-SSH wrappers, added wrappers for vault, vault_db, vault_pki modules #54

  • Added vault_ssh execution, state and wrapper modules for managing and using the SSH secret backend #58

  • Improved handling of KV v2 secret versions #61

  • Added vault_secret state module for statefully managing secrets #62

v1.1.1 (2024-07-24)

Changed

  • Required x509_v2 modules to be available for specific parameters to vault_pki, dropped direct dependency on cryptography #78

Fixed

  • Fixed vault.update_config crash #77

v1.1.0 (2024-07-23)

Removed

  • Dropped support for Python 3.7 #59

  • Dropped support for Salt 3005 #70

Fixed

  • Fixed a crash when renewing/revoking leases that have been revoked on the Vault server early #45

Added

  • Added an optional switch for validating cached leases with the Vault server before returning them from the LeaseStore #46

  • Implemented setting per-lease defaults of lifecycle parameters #47

  • Implemented caching arbitrary metadata together with a lease and included it in expiry events #48

  • Added a LeaseStore method for listing cached lease information #49

  • Added vault_db modules for management and usage of the Vault database secret backend #52

  • Added vault_lease beacon module to monitor and renew cached leases #53

  • Added vault_pki modules for interfacing with the PKI backend and managing X.509 certificates #58

  • Added support for retry logic and specific connection settings in vault:client #65

v1.0.0 (2024-04-23)

Deprecated

  • Deprecated Vault pillar configuration with conf parameter and path= prefix #30

Changed

  • Changed Vault pillar module configuration #30

Fixed

  • Fixed Salt master does not renew token #10

  • Fixed vault module fetching more than one secret in one run with single-use tokens #11

  • Fixed Vault verify option to work on minions when only specified in master config #12

  • Fixed vault command errors configured locally #13

  • Fixed sdb.get_or_set_hash with Vault single-use tokens #14

  • Fixed Vault session storage to allow unlimited use tokens #15

  • Fixed salt-minion 3006.0 KeyError without ‘vault’ config key #22

  • Fixed verify parameter for unwrap requests #34

Added

  • Added Vault AppRole and identity issuance to minions #16

  • Added Vault AppRole auth mount path configuration option #17

  • Added distribution of Vault authentication details via response wrapping #18

  • Added Vault token lifecycle management #19

  • Added Vault lease management utility #20

  • Added patch option to Vault SDB driver #21

  • Added inline specification of trusted CA root certificate for Vault #23

  • Added support for dictionary keys in pattern #26