open-vault/website/content/docs/upgrading/upgrade-to-1.13.x.mdx

---
layout: docs
page_title: Upgrading to Vault 1.13.x - Guides
description: |-
  This page contains the list of deprecations and important or breaking changes
  for Vault 1.13.x. Please read it carefully.
---

# Overview

This page contains the list of deprecations and important or breaking changes
for Vault 1.13.x compared to 1.12. Please read it carefully.

## Changes

@include 'consul-dataplane-upgrade-note.mdx'

### Active Directory Secrets Engine Deprecation

The Active Directory (AD) secrets engine has been deprecated as of the Vault 1.13 release.
We will continue to support the AD secrets engine in maintenance mode for six major Vault
releases. Maintenance mode means that we will fix bugs and security issues but will not add
new features. For additional information, see the [deprecation table](/vault/docs/deprecation)
and [migration guide](/vault/docs/secrets/ad/migration-guide).

### AliCloud Auth Role Parameter

The AliCloud auth plugin will now require the `role` parameter on login. This
has always been documented as a required field but the requirement will now be
enforced.

### Mounts associated with removed builtin plugins will result in core shutdown on upgrade

As of 1.13.0 Standalone (logical) DB Engines and the AppId Auth Method have been
marked with the `Removed` status. Any attempt to unseal Vault with
mounts backed by one of these builtin plugins will result in an immediate
shutdown of the Vault core.

-> **NOTE** In the event that an external plugin with the same name and type as
a deprecated builtin is deregistered, any subsequent unseal will continue to
unseal with an unusable auth backend, and a corresponding ERROR log.

```shell-session
$ vault plugin register -sha256=c805cf3b69f704dfcd5176ef1c7599f88adbfd7374e9c76da7f24a32a97abfe1 auth app-id
Success! Registered plugin: app-id
$ vault auth enable -plugin-name=app-id plugin
Success! Enabled app-id auth method at: app-id/
$ vault auth list -detailed | grep "app-id"
app-id/    app-id    auth_app-id_3a8f2e24    system         system     default-service    replicated     false        false                      map[]      n/a                        0018263c-0d64-7a70-fd5c-50e05c5f5dc3    n/a        n/a                      c805cf3b69f704dfcd5176ef1c7599f88adbfd7374e9c76da7f24a32a97abfe1    n/a
$ vault plugin deregister auth app-id
Success! Deregistered plugin (if it was registered): app-id
$ vault plugin list -detailed | grep "app-id"
app-id                               auth        v1.13.0+builtin.vault                                 removed
$ curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST http://127.0.0.2:8200/v1/sys/seal
$ vault operator unseal <key1>
...
$ vault operator unseal <key2>
...
$ vault operator unseal <key3>
...
$ grep "app-id" /path/to/vault.log
[ERROR] core: skipping deprecated auth entry: name=app-id path=app-id/ error="mount entry associated with removed builtin"
[ERROR] core: skipping initialization for nil auth backend: path=app-id/ type=app-id version="v1.13.0+builtin.vault"
```

The remediation for affected mounts is to downgrade to the previously-used version of Vault
environment variable and replace any `Removed` feature with the
[preferred alternative
feature](/vault/docs/deprecation/faq#q-what-should-i-do-if-i-use-mount-filters-appid-or-any-of-the-standalone-db-engines).

For more information on the phases of deprecation, see the [Deprecation Notices
FAQ](/vault/docs/deprecation/faq#q-what-are-the-phases-of-deprecation).

#### Impacted Versions

Affects upgrading from any version of Vault to 1.13.x. All other upgrade paths
are unaffected.

## Known Issues

@include 'tokenization-rotation-persistence.mdx'
add draft 1.13.x upgrade guide (#18023) * add draft upgrade guide * add note this is a draft * make 1.13 guide hidden * add heading for alicloud change 2022-11-17 21:57:16 +00:00			`---`
			`layout: docs`
			`page_title: Upgrading to Vault 1.13.x - Guides`
			`description: \|-`
			`This page contains the list of deprecations and important or breaking changes`
			`for Vault 1.13.x. Please read it carefully.`
			`---`

			`# Overview`

			`This page contains the list of deprecations and important or breaking changes`
			`for Vault 1.13.x compared to 1.12. Please read it carefully.`

			`## Changes`

mention Consul Dataplane compat in 1.13.x upgrade notes (#18063) * mention Consul Dataplane compat in 1.13.x upgrade notes * change heading level Co-authored-by: Meggie <meggie@hashicorp.com> Co-authored-by: Meggie <meggie@hashicorp.com> 2022-11-21 19:11:13 +00:00			`@include 'consul-dataplane-upgrade-note.mdx'`

docs/ad: adds deprecation announcements and migration guide (#19388) * docs/ad: adds deprecation announcements and migration guide * fix table ending * remove fully-qualified links * Minor format fixes - migrationguide * Update website/content/docs/secrets/ad/migration-guide.mdx Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com> * Update website/content/docs/secrets/ad/migration-guide.mdx Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com> --------- Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com> 2023-02-28 18:41:59 +00:00			`### Active Directory Secrets Engine Deprecation`

			`The Active Directory (AD) secrets engine has been deprecated as of the Vault 1.13 release.`
			`We will continue to support the AD secrets engine in maintenance mode for six major Vault`
			`releases. Maintenance mode means that we will fix bugs and security issues but will not add`
			`new features. For additional information, see the [deprecation table](/vault/docs/deprecation)`
			`and [migration guide](/vault/docs/secrets/ad/migration-guide).`

add draft 1.13.x upgrade guide (#18023) * add draft upgrade guide * add note this is a draft * make 1.13 guide hidden * add heading for alicloud change 2022-11-17 21:57:16 +00:00			`### AliCloud Auth Role Parameter`

			The AliCloud auth plugin will now require the `role` parameter on login. This
			`has always been documented as a required field but the requirement will now be`
			`enforced.`

Add upgrade note for Removed builtins in 1.13 (#19531) 2023-03-15 22:18:44 +00:00			`### Mounts associated with removed builtin plugins will result in core shutdown on upgrade`

			`As of 1.13.0 Standalone (logical) DB Engines and the AppId Auth Method have been`
			marked with the `Removed` status. Any attempt to unseal Vault with
			`mounts backed by one of these builtin plugins will result in an immediate`
			`shutdown of the Vault core.`

			`-> NOTE In the event that an external plugin with the same name and type as`
			`a deprecated builtin is deregistered, any subsequent unseal will continue to`
			`unseal with an unusable auth backend, and a corresponding ERROR log.`

			```shell-session
			`$ vault plugin register -sha256=c805cf3b69f704dfcd5176ef1c7599f88adbfd7374e9c76da7f24a32a97abfe1 auth app-id`
			`Success! Registered plugin: app-id`
			`$ vault auth enable -plugin-name=app-id plugin`
			`Success! Enabled app-id auth method at: app-id/`
			`$ vault auth list -detailed \| grep "app-id"`
			`app-id/ app-id auth_app-id_3a8f2e24 system system default-service replicated false false map[] n/a 0018263c-0d64-7a70-fd5c-50e05c5f5dc3 n/a n/a c805cf3b69f704dfcd5176ef1c7599f88adbfd7374e9c76da7f24a32a97abfe1 n/a`
			`$ vault plugin deregister auth app-id`
			`Success! Deregistered plugin (if it was registered): app-id`
			`$ vault plugin list -detailed \| grep "app-id"`
			`app-id auth v1.13.0+builtin.vault removed`
			`$ curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST http://127.0.0.2:8200/v1/sys/seal`
			`$ vault operator unseal <key1>`
			`...`
			`$ vault operator unseal <key2>`
			`...`
			`$ vault operator unseal <key3>`
			`...`
			`$ grep "app-id" /path/to/vault.log`
			`[ERROR] core: skipping deprecated auth entry: name=app-id path=app-id/ error="mount entry associated with removed builtin"`
			`[ERROR] core: skipping initialization for nil auth backend: path=app-id/ type=app-id version="v1.13.0+builtin.vault"`
			```

			`The remediation for affected mounts is to downgrade to the previously-used version of Vault`
			environment variable and replace any `Removed` feature with the
			`[preferred alternative`
			`feature](/vault/docs/deprecation/faq#q-what-should-i-do-if-i-use-mount-filters-appid-or-any-of-the-standalone-db-engines).`

			`For more information on the phases of deprecation, see the [Deprecation Notices`
			`FAQ](/vault/docs/deprecation/faq#q-what-are-the-phases-of-deprecation).`

			`#### Impacted Versions`

			`Affects upgrading from any version of Vault to 1.13.x. All other upgrade paths`
			`are unaffected.`

Add the Tokenization/Rotation persistence issue as a Known Issue (#19542) * Note the known issue with rotation interaction with tokenization key policy persistence * typo 2023-03-15 14:42:02 +00:00			`## Known Issues`

			`@include 'tokenization-rotation-persistence.mdx'`