1--- 2layout: "docs" 3page_title: "Upgrading to Vault 0.11.0 - Guides" 4sidebar_title: "Upgrade to 0.11.0" 5sidebar_current: "docs-upgrading-to-0.11.0" 6description: |- 7 This page contains the list of deprecations and important or breaking changes 8 for Vault 0.11.0. Please read it carefully. 9--- 10 11# Overview 12 13This page contains the list of deprecations and important or breaking changes 14for Vault 0.11.0 compared to 0.10.0. Please read it carefully. 15 16## Known Issues 17 18### Nomad Integration 19 20Users that integrate Vault with Nomad should hold off on upgrading. A modification to 21Vault's API is causing a runtime issue with the Nomad to Vault integration. 22 23### Minified JSON Policies 24 25Users that generate policies in minfied JSON may cause a parsing errors due to 26a regression in the policy parser when it encounters repeating brackets. Although 27HCL is the official language for policies in Vault, HCL is JSON compatible and JSON 28should work in place of HCL. To work around this error, pretty print the JSON policies 29or add spaces between repeating brackets. This regression will be addressed in 30a future release. 31 32### Common Mount Prefixes 33 34Before running the upgrade, users should run `vault secrets list` and `vault auth list` 35to check their mount table to ensure that mounts do not have common prefix "folders". 36For example, if there is a mount with path `team1/` and a mount with path `team1/secrets`, 37Vault will fail to unseal. Before upgrade, these mounts must be remounted at a path that 38does not share a common prefix. 39 40## Changes Since 0.10.4 41 42### Request Timeouts 43 44A default request timeout of 90s is now enforced. This setting can be 45overwritten in the config file. If you anticipate requests taking longer than 4690s this setting should be configured before upgrading. 47 48### `sys/` Top Level Injection 49 50For the last two years for backwards compatibility data for various `sys/` 51routes has been injected into both the Secret's Data map and into the top level 52of the JSON response object. However, this has some subtle issues that pop up 53from time to time and is becoming increasingly complicated to maintain, so it's 54finally being removed. 55 56### Path Fallback for List Operations 57 58For a very long time Vault has automatically adjusted `list` operations to 59always end in a `/`, as list operations operates on prefixes, so all list 60operations by definition end with `/`. This was done server-side so affects all 61clients. However, this has also led to a lot of confusion for users writing 62policies that assume that the path that they use in the CLI is the path used 63internally. Starting in 0.11, ACL policies gain a new fallback rule for 64listing: they will use a matching path ending in `/` if available, but if not 65found, they will look for the same path without a trailing `/`. This allows 66putting `list` capabilities in the same path block as most other capabilities 67for that path, while not providing any extra access if `list` wasn't actually 68provided there. 69 70### Performance Standbys On By Default 71 72If your flavor/license of Vault Enterprise supports Performance Standbys, they 73are on by default. You can disable this behavior per-node with the 74`disable_performance_standby` configuration flag. 75 76### AWS Secret Engine Roles 77Roles in the AWS Secret Engine were previously ambiguous. For example, if the 78`arn` parameter had been specified, that could have been interpreted as the ARN 79of an AWS IAM policy to attach to an IAM user or it could have been the ARN of 80an AWS role to assume. Now, types are explicit, both in terms of what 81credential type is being requested (e.g., an IAM User or an Assumed Role?) as 82well as the parameters being sent to vault (e.g., the IAM policy document 83attached to an IAM user or used during a GetFederationToken call). All 84credential retrieval remains backwards compatible as does updating role data. 85However, the data returned when reading role data is now different and 86breaking, so anything which reads role data out of Vault will need to be 87updated to handle the new role data format. 88 89While creating/updating roles remains backwards compatible, the old parameters 90are now considered deprecated. You should use the new parameters as documented 91in the API docs. 92 93As part of this, the `/aws/creds/` and `/aws/sts/` endpoints have been merged, 94with the behavior only differing as specified below. The `/aws/sts/` endpoint 95is considered deprecated and should only be used when needing backwards 96compatibility. 97 98All roles will be automatically updated to the new role format when accessed. 99However, due to the way role data was previously being stored in Vault, it's 100possible that invalid data was stored that both make the upgrade impossible as 101well as would have made the role unable to retrieve credentials. In this 102situation, the previous role data is returned in an `invalid_data` key so you 103can inspect what used to be in the role and correct the role data if desired. 104One consequence of the prior AWS role storage format is that a single Vault 105role could have led to two different AWS credential types being retrieved when 106a `policy` parameter was stored. In this case, these legacy roles will be 107allowed to retrieve both IAM User and Federation Token credentials, with the 108credential type depending on the path used to access it (IAM User if accessed 109via the `/aws/creds/<role_name>` endpoint and Federation Token if accessed via 110the `/aws/sts/<role_name>` endpoint). 111 112## Full List Since 0.10.0 113 114### Revocations of dynamic secrets leases now asynchronous 115 116Dynamic secret lease revocation are now queued/asynchronous rather 117than synchronous. This allows Vault to take responsibility for revocation 118even if the initial attempt fails. The previous synchronous behavior can be 119attained via the `-sync` CLI flag or `sync` API parameter. When in 120synchronous mode, if the operation results in failure it is up to the user 121to retry. 122 123### CLI Retries 124 125The CLI will no longer retry commands on 5xx errors. This was a 126source of confusion to users as to why Vault would "hang" before returning a 1275xx error. The Go API client still defaults to two retries. 128 129### Identity Entity Alias metadata 130 131You can no longer manually set metadata on 132entity aliases. All alias data (except the canonical entity ID it refers to) 133is intended to be managed by the plugin providing the alias information, so 134allowing it to be set manually didn't make sense. 135 136### Convergent Encryption version 3 137 138If you are using `transit`'s convergent encryption feature, which prior to this 139release was at version 2, we recommend 140[rotating](https://www.vaultproject.io/api/secret/transit/index.html#rotate-key) 141your encryption key (the new key will use version 3) and 142[rewrapping](https://www.vaultproject.io/api/secret/transit/index.html#rewrap-data) 143your data to mitigate the chance of offline plaintext-confirmation attacks. 144 145### PKI duration return types 146 147The PKI backend now returns durations (e.g. when reading a role) as an integer 148number of seconds instead of a Go-style string. 149