1---
2layout: "docs"
3page_title: "Upgrading to Vault 0.11.0 - Guides"
4sidebar_title: "Upgrade to 0.11.0"
5sidebar_current: "docs-upgrading-to-0.11.0"
6description: |-
7  This page contains the list of deprecations and important or breaking changes
8  for Vault 0.11.0. Please read it carefully.
9---
10
11# Overview
12
13This page contains the list of deprecations and important or breaking changes
14for Vault 0.11.0 compared to 0.10.0. Please read it carefully.
15
16## Known Issues
17
18### Nomad Integration
19
20Users that integrate Vault with Nomad should hold off on upgrading.  A modification to
21Vault's API is causing a runtime issue with the Nomad to Vault integration.
22
23### Minified JSON Policies
24
25Users that generate policies in minfied JSON may cause a parsing errors due to
26a regression in the policy parser when it encounters repeating brackets. Although
27HCL is the official language for policies in Vault, HCL is JSON compatible and JSON
28should work in place of HCL. To work around this error, pretty print the JSON policies
29or add spaces between repeating brackets.  This regression will be addressed in
30a future release.
31
32### Common Mount Prefixes
33
34Before running the upgrade, users should run `vault secrets list` and `vault auth list`
35to check their mount table to ensure that mounts do not have common prefix "folders".
36For example, if there is a mount with path `team1/` and a mount with path `team1/secrets`,
37Vault will fail to unseal. Before upgrade, these mounts must be remounted at a path that
38does not share a common prefix.
39
40## Changes Since 0.10.4
41
42### Request Timeouts
43
44A default request timeout of 90s is now enforced. This setting can be
45overwritten in the config file. If you anticipate requests taking longer than
4690s this setting should be configured before upgrading.
47
48### `sys/` Top Level Injection
49
50For the last two years for backwards compatibility data for various `sys/`
51routes has been injected into both the Secret's Data map and into the top level
52of the JSON response object. However, this has some subtle issues that pop up
53from time to time and is becoming increasingly complicated to maintain, so it's
54finally being removed.
55
56### Path Fallback for List Operations
57
58For a very long time Vault has automatically adjusted `list` operations to
59always end in a `/`, as list operations operates on prefixes, so all list
60operations by definition end with `/`. This was done server-side so affects all
61clients. However, this has also led to a lot of confusion for users writing
62policies that assume that the path that they use in the CLI is the path used
63internally. Starting in 0.11, ACL policies gain a new fallback rule for
64listing: they will use a matching path ending in `/` if available, but if not
65found, they will look for the same path without a trailing `/`. This allows
66putting `list` capabilities in the same path block as most other capabilities
67for that path, while not providing any extra access if `list` wasn't actually
68provided there.
69
70### Performance Standbys On By Default
71
72If your flavor/license of Vault Enterprise supports Performance Standbys, they
73are on by default. You can disable this behavior per-node with the
74`disable_performance_standby` configuration flag.
75
76### AWS Secret Engine Roles
77Roles in the AWS Secret Engine were previously ambiguous. For example, if the
78`arn` parameter had been specified, that could have been interpreted as the ARN
79of an AWS IAM policy to attach to an IAM user or it could have been the ARN of
80an AWS role to assume. Now, types are explicit, both in terms of what
81credential type is being requested (e.g., an IAM User or an Assumed Role?) as
82well as the parameters being sent to vault (e.g., the IAM policy document
83attached to an IAM user or used during a GetFederationToken call). All
84credential retrieval remains backwards compatible as does updating role data.
85However, the data returned when reading role data is now different and
86breaking, so anything which reads role data out of Vault will need to be
87updated to handle the new role data format.
88
89While creating/updating roles remains backwards compatible, the old parameters
90are now considered deprecated. You should use the new parameters as documented
91in the API docs.
92
93As part of this, the `/aws/creds/` and `/aws/sts/` endpoints have been merged,
94with the behavior only differing as specified below. The `/aws/sts/` endpoint
95is considered deprecated and should only be used when needing backwards
96compatibility.
97
98All roles will be automatically updated to the new role format when accessed.
99However, due to the way role data was previously being stored in Vault, it's
100possible that invalid data was stored that both make the upgrade impossible as
101well as would have made the role unable to retrieve credentials. In this
102situation, the previous role data is returned in an `invalid_data` key so you
103can inspect what used to be in the role and correct the role data if desired.
104One consequence of the prior AWS role storage format is that a single Vault
105role could have led to two different AWS credential types being retrieved when
106a `policy` parameter was stored. In this case, these legacy roles will be
107allowed to retrieve both IAM User and Federation Token credentials, with the
108credential type depending on the path used to access it (IAM User if accessed
109via the `/aws/creds/<role_name>` endpoint and Federation Token if accessed via
110the `/aws/sts/<role_name>` endpoint).
111
112## Full List Since 0.10.0
113
114### Revocations of dynamic secrets leases now asynchronous
115
116Dynamic secret lease revocation are now queued/asynchronous rather
117than synchronous. This allows Vault to take responsibility for revocation
118even if the initial attempt fails. The previous synchronous behavior can be
119attained via the `-sync` CLI flag or `sync` API parameter. When in
120synchronous mode, if the operation results in failure it is up to the user
121to retry.
122
123### CLI Retries
124
125The CLI will no longer retry commands on 5xx errors. This was a
126source of confusion to users as to why Vault would "hang" before returning a
1275xx error. The Go API client still defaults to two retries.
128
129### Identity Entity Alias metadata
130
131You can no longer manually set metadata on
132entity aliases. All alias data (except the canonical entity ID it refers to)
133is intended to be managed by the plugin providing the alias information, so
134allowing it to be set manually didn't make sense.
135
136### Convergent Encryption version 3
137
138If you are using `transit`'s convergent encryption feature, which prior to this
139release was at version 2, we recommend
140[rotating](https://www.vaultproject.io/api/secret/transit/index.html#rotate-key)
141your encryption key (the new key will use version 3) and
142[rewrapping](https://www.vaultproject.io/api/secret/transit/index.html#rewrap-data)
143your data to mitigate the chance of offline plaintext-confirmation attacks.
144
145### PKI duration return types
146
147The PKI backend now returns durations (e.g. when reading a role) as an integer
148number of seconds instead of a Go-style string.
149