diff --git a/website/data/docs-navigation.js b/website/data/docs-navigation.js index 359cc9356..93ffdaace 100644 --- a/website/data/docs-navigation.js +++ b/website/data/docs-navigation.js @@ -385,6 +385,7 @@ export default [ 'upgrade-to-1.3.2', 'upgrade-to-1.3.3', 'upgrade-to-1.3.4', + 'upgrade-to-1.3.5', 'upgrade-to-1.4.0' ] }, diff --git a/website/pages/docs/upgrading/upgrade-to-1.3.5.mdx b/website/pages/docs/upgrading/upgrade-to-1.3.5.mdx new file mode 100644 index 000000000..3b1035535 --- /dev/null +++ b/website/pages/docs/upgrading/upgrade-to-1.3.5.mdx @@ -0,0 +1,15 @@ +--- +layout: docs +page_title: Upgrading to Vault 1.3.5 - Guides +sidebar_title: Upgrade to 1.3.5 +description: |- + This page contains the list of deprecations and important or breaking changes + for Vault 1.3.5. Please read it carefully. +--- + +# Overview + +This page contains the list of deprecations and important or breaking changes +for Vault 1.3.4 compared to 1.3.5. Please read it carefully. + +@include 'partials/aws-auth-metadata-fix.mdx' diff --git a/website/pages/partials/aws-auth-metadata-fix.mdx b/website/pages/partials/aws-auth-metadata-fix.mdx new file mode 100644 index 000000000..040277cbe --- /dev/null +++ b/website/pages/partials/aws-auth-metadata-fix.mdx @@ -0,0 +1,35 @@ +## The AWS Auth Engine + +Users of the AWS Auth Engine may notice less metadata in their audit logs +and associated with the aliases generated by logging in. This is because +we corrected a regression where more metadata had been added by default, +causing a performance impact for some users at scale. + +Now, in the `/auth/aws/config/identity` endpoint, we have added the following fields: + +- `iam_metadata` `(string: "default")` - The metadata to include on the token + returned by the `login` endpoint. This metadata will be added to both audit logs, + and on the `iam_alias`. By default, it includes `account_id` and `auth_type`. + Additionally, `canonical_arn`, `client_arn`, `client_user_id`, `inferred_aws_region`, + `inferred_entity_id`, and `inferred_entity_type` are available. To include no metadata, + set to `""` via the CLI or `[]` via the API. To use only particular fields, select + the explicit fields. To restore to defaults, send only a field of `default`. + **Only select fields that will have a low rate of change** for your `iam_alias` because + each change triggers a storage write and can have a performance impact at scale. +- `ec2_metadata` `(string: "default")` - The metadata to include on the token + returned by the `login` endpoint. This metadata will be added to both audit logs, + and on the `ec2_alias`. By default, it includes `account_id` and `auth_type`. + Additionally, `ami_id`, `instance_id`, and `region`, are available. To include no metadata, + set to `""` via the CLI or `[]` via the API. To use only particular fields, select + the explicit fields. To restore to defaults, send only a field of `default`. + **Only select fields that will have a low rate of change** for your `ec2_alias` because + each change triggers a storage write and can have a performance impact at scale. + +At the `/auth/aws/config/identity` endpoint, if the `iam_alias` and `ec2_alias` are unset, +the `role_id` used for login is the default alias used for auth metadata. Thus, the defaults +selected for the `iam_metadata` and `ec2_metadata` are fields that would have a low rate of +change for _those_ aliases. + +This was selected because it will cover _most_ use cases. However, the AWS Auth Engine +has many use cases, so please do configure the aliases and metadata that makes sense for +your organization.