hashicorp · schavis · Oct 9, 2025 · Jul 22, 2025 · Jul 22, 2025 · Jul 25, 2025
@@ -30,6 +30,6 @@ Found  | Fixed  | Workaround | Edition    | Issue
 1.20.0 | 1.20.1 | **Yes**    | All        | [GUI navigation error for KV v2 secret paths containing underscores](/vault/docs/v1.20.x/updates/important-changes#ui-kvv2-underscore-secrets)
 1.18.4 | No     | **Yes**    | All        | [Failing credential refresh for Snowflake DB secrets engine key pair authentication](/vault/docs/v1.20.x/updates/important-changes#snowflake-keypair-refresh)
 1.20.0 | 1.20.1 | **Yes**    | All        | [Duplicate LDAP password rotations on standby node check-in](/vault/docs/v1.20.x/updates/important-changes#ldap-checkin)
-1.19.0 | No     | No         | All        | [Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag](/vault/docs/v1.20.x/updates/important-changes#local-auth-known-issue)
-1.19.0 | No     | **Yes**    | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.20.x/updates/important-changes#missed-events)
+1.20.0 | No     | No         | All        | [Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag](/vault/docs/v1.20.x/updates/important-changes#local-auth-known-issue)
+1.20.0 | No     | **Yes**    | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.20.x/updates/important-changes#missed-events)
 1.20.0 | No     | No         | Enterprise | [Full seal rewraps occur on DR/PR failover with multi-seal enabled](/vault/docs/v1.20.x/updates/important-changes#multi-seal-rewrap)
@@ -0,0 +1,16 @@
+### Breaking changes
+
+Introduced | Recommendations | Edition    | Change
+---------- | --------------- | ---------- | ------
+1.21.0     | **Yes**         | All        | [Audiences required for Kubernetes authentication roles](/vault/docs/v1.21.x/updates/important-changes#k8-audience-required)
+
+
+### New behavior
+
+None.
+
+### Known issues
+
+Found  | Fixed  | Workaround | Edition    | Issue
+------ |--------| ---------- | ---------- | -----
+1.21.0 | No     | **Yes**    | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.21.x/updates/important-changes#missed-events)
@@ -254,7 +254,7 @@ $ vault write identity/mfa/method/totp \
    digits=6
 ```
 
-Using the TOTP `method_id` and an `entity_id` from after a sucessful MFA login.  Use these to generate a QR code.
+Vault generates an `entity_id` for users after a successful login. Use the TOTP `method_id` and the `entity_id` of the target user to generate a QR code.
 
 ```shell-session
 $ vault write -field=barcode \

@@ -230,7 +230,7 @@ of the root credential until the field is reset to `false`. If you use
 `rotation_period`, setting `disable_automated_rotation` also resets the credential
 TTL.
 
-For more details on rotating root credentials in the Azure plugin, refer to the
+For more details on rotating root credentials in the LDAP plugin, refer to the
 [Root credential rotation](/vault/api-docs/auth/ldap#rotate-root) API docs.
 
 @include 'rotation-manager-logging.mdx'

@@ -258,7 +258,7 @@ $ vault write identity/mfa/method/totp \
    digits=6
 ```
 
-Using the TOTP `method_id` and an `entity_id` from after a sucessful MFA login.  Use these to generate a QR code.
+Vault generates an `entity_id` for users after a successful login. Use the TOTP `method_id` and the `entity_id` of the target user to generate a QR code.
 
 ```shell-session
 $ vault write -field=barcode \

@@ -155,7 +155,7 @@ of the root credential until the field is reset to `false`. If you use
 `rotation_period`, setting `disable_automated_rotation` also resets the credential
 TTL.
 
-For more details on rotating root credentials in the Azure plugin, refer to the
+For more details on rotating root credentials in the LDAP plugin, refer to the
 [Root credential rotation](/vault/api-docs/secret/ldap#rotate-root) API docs.
 
 @include 'rotation-manager-logging.mdx'

@@ -403,7 +403,7 @@ This endpoint creates a destination to synchronize secrets with the GCP Secret M
   store replicated secrets. Note that secrets remain globally readable regardless of the selected locations.
 
 - `locational_kms_keys` `(map<string|string>: nil)` - A map of location names to KMS key names to leverage customer-managed encryption keys for
-  encryption at rest. Each pair follows the format `location_name=encryption_key_resource_ID`. Refer to the
+  encryption at rest. Each pair follows the format `location_name=encryption_key_resource_name`. Refer to the
   [sample payloads](#sample-payloads) for more details.
 
 - `secret_name_template` `(string: "")` - Template to use when generating the secret names on the external system.

@@ -240,7 +240,7 @@ of the root credential until the field is reset to `false`. If you use
 `rotation_period`, setting `disable_automated_rotation` also resets the credential
 TTL.
 
-For more details on rotating root credentials in the Azure plugin, refer to the
+For more details on rotating root credentials in the LDAP plugin, refer to the
 [Root credential rotation](/vault/api-docs/auth/ldap#rotate-root) API docs.
 
 @include 'rotation-manager-logging.mdx'

@@ -258,7 +258,7 @@ $ vault write identity/mfa/method/totp \
    digits=6
 ```
 
-Using the TOTP `method_id` and an `entity_id` from after a sucessful MFA login.  Use these to generate a QR code.
+Vault generates an `entity_id` for users after a successful login. Use the TOTP `method_id` and the `entity_id` of the target user to generate a QR code.
 
 ```shell-session
 $ vault write -field=barcode \

@@ -169,9 +169,15 @@ All of these metrics are numerical, and contain no sensitive values or additiona
 | `vault.secret.engine.activedirectory.count`                         | The total number of Active Directory secret engines in Vault.                                              |
 | `vault.secret.engine.alicloud.count`                                | The total number of Alicloud secret engines in Vault.                                                      |
 | `vault.secret.engine.aws.count`                                     | The total number of AWS secret engines in Vault.                                                           |
+| `vault.secret.engine.aws.dynamic.role.count`                        | The total number of AWS dynamic roles in Vault.                                                            |
+| `vault.secret.engine.aws.static.role.count`                         | The total number of AWS static roles in Vault.                                                             |
 | `vault.secret.engine.azure.count`                                   | The total number of Azure secret engines in Vault.                                                         |
+| `vault.secret.engine.azure.dynamic.role.count`                      | The total number of Azure dynamic roles in Vault.                                                          |
 | `vault.secret.engine.consul.count`                                  | The total number of Consul secret engines in Vault.                                                        |
 | `vault.secret.engine.gcp.count`                                     | The total number of GCP secret engines in Vault.                                                           |
+| `vault.secret.engine.gcp.impersonated.account.count`                | The total number of GCP impersonated accounts in Vault.                                                    |
+| `vault.secret.engine.gcp.roleset.count`                             | The total number of GCP rolesets in Vault.                                                                 |
+| `vault.secret.engine.gcp.static.role.count`                         | The total number of GCP static roles in Vault.                                                             |
 | `vault.secret.engine.gcpkms.count`                                  | The total number of GCPKMS secret engines in Vault.                                                        |
 | `vault.secret.engine.kubernetes.count`                              | The total number of Kubernetes secret engines in Vault.                                                    |
 | `vault.secret.engine.cassandra.count`                               | The total number of Cassandra secret engines in Vault.                                                     |
@@ -181,11 +187,15 @@ All of these metrics are numerical, and contain no sensitive values or additiona
 | `vault.secret.engine.mongodb.count`                                 | The total number of MongoDB secret engines in Vault.                                                       |
 | `vault.secret.engine.mongodbatlas.count`                            | The total number of MongoDBAtlas secret engines in Vault.                                                  |
 | `vault.secret.engine.mssql.count`                                   | The total number of MSSql secret engines in Vault.                                                         |
-| `vault.secret.engine.mysql.count`                                   | The total number of MySQL secret engines in Vault. |
+| `vault.secret.engine.mysql.count`                                   | The total number of MySQL secret engines in Vault.                                                         |
 | `vault.secret.engine.postgresql.count`                              | The total number of Postgresql secret engines in Vault.                                                    |
 | `vault.secret.engine.nomad.count`                                   | The total number of Nomad secret engines in Vault.                                                         |
 | `vault.secret.engine.ldap.count`                                    | The total number of LDAP secret engines in Vault.                                                          |
+| `vault.secret.engine.ldap.dynamic.role.count`                       | The total number of LDAP dynamic roles in Vault.                                                           |
+| `vault.secret.engine.ldap.static.role.count`                        | The total number of LDAP static roles in Vault.                                                            |
 | `vault.secret.engine.openldap.count`                                | The total number of OpenLDAP secret engines in Vault.                                                      |
+| `vault.secret.engine.openldap.dynamic.role.count`                   | The total number of OpenLDAP dynamic roles in Vault.                                                       |
+| `vault.secret.engine.openldap.static.role.count`                    | The total number of OpenLDAP static roles in Vault.                                                        |
 | `vault.secret.engine.pki.count`                                     | The total number of PKI secret engines in Vault.                                                           |
 | `vault.secret.engine.rabbitmq.count`                                | The total number of RabbitMQ secret engines in Vault.                                                      |
 | `vault.secret.engine.ssh.count`                                     | The total number of SSH secret engines in Vault.                                                           |
@@ -194,6 +204,8 @@ All of these metrics are numerical, and contain no sensitive values or additiona
 | `vault.secret.engine.transform.count`                               | The total number of Transform secret engines in Vault.                                                     |
 | `vault.secret.engine.transit.count`                                 | The total number of Transit secret engines in Vault.                                                       |
 | `vault.secret.engine.database.count`                                | The total number of Database secret engines in Vault.                                                      |
+| `vault.secret.engine.database.dynamic.role.count`                   | The total number of Database dynamic roles in Vault.                                                       |
+| `vault.secret.engine.database.static.role.count`                    | The total number of Database static roles in Vault.                                                        |
 | `vault.secret.engine.plugin.count`                                  | The total number of custom plugin secret engines in Vault.                                                 |
 | `vault.secretsync.sources.count`                                    | The total number of secret sources configured for secret sync.                                             |
 | `vault.secretsync.destinations.count`                               | The total number of secret destinations configured for secret sync.                                        |

@@ -95,7 +95,9 @@ Prerequisites:
   ```shell-session
   $ vault write sys/sync/destinations/gcp-sm/my-dest/associations/set \
       mount='my-kv' \
-      secret_name='my-secret'
+      secret_name='my-secret' \
+      replication_locations='us-east1' \
+      locational_kms_keys='us-east1=projects/my-project/locations/us-east1/keyRings/my-east-keyring/cryptoKeys/my-east-key'
   ```
 
   **Output:**
@@ -137,7 +139,30 @@ corresponds with the planned replication policy. The key rings and keys must be
 
 When using a global KMS key, it must be the only key set on the destination and the replication locations must remain unset, meaning
 it can only be used with using GCP's automatic replication. When specifying regional keys, a key must be set for each region in the
-replication location list. GCP key names are expected in the format of the entire resource ID, e.g. `projects/<project_id>/locations/<location_name>/keyRings/<key_ring_name>/cryptoKeys/<key_name>`. See the [API](#api) section for more details.
+replication location list.
+
+You must specify GCP key names using the entire resource name. For example, 
+`projects/<project_id>/locations/<location_name>/keyRings/<key_ring_name>/cryptoKeys/<key_name>`.
+GCP key names, including the `keyRings` and `cryptoKeys` segments, are
+case-sensitive.
+Refer to the [Secrets sync API examples](/vault/api-docs/system/secrets-sync#sync-secrets-to-gcp-with-a-global-kms-key) for more details.
+
+A service agent identity for the `secretsmanager` API must be created for GCP keys. 
+The correct IAM policy bindings must be granted to the service agents
+with the `cloudkms.cryptoKeyEncrypterDecrypter` role. Be aware that you must
+grant the CloudKMS role to the service agent for each key and its corresponding
+replication location you want to use.
+
+Refer to the [GCP documentation](https://cloud.google.com/secret-manager/docs/cmek)
+for more details on setting up your GCP key resources. 
+
+<Warning title="CMEK silent failures">
+
+Failure to establish the proper IAM policy bindings for all encryption keys and replication locations
+typically causes GCP to silently ignore the customer-managed keys and fall back to Google-managed keys. Ensure you are using customer-managed encryption by validating the encryption type value on
+the secrets from the gcloud CLI or the web console.
+
+</Warning>
 
 ## Permissions
 

@@ -0,0 +1,200 @@
+---
+layout: api
+page_title: AliCloud - Auth Methods - HTTP API
+description: This is the API documentation for the Vault AliCloud auth method.
+---
+
+# AliCloud auth method (API)
+
+This is the API documentation for the Vault AliCloud auth method. For
+general information about the usage and operation of the AliCloud method, please
+see the [Vault AliCloud auth method documentation](/vault/docs/auth/alicloud).
+
+This documentation assumes the AliCloud auth method is mounted at the `/auth/alicloud`
+path in Vault. Since it is possible to enable auth methods at any location,
+please update your API calls accordingly.
+
+## Create/Update role
+
+Registers a role. Only entities using the role registered using this endpoint
+will be able to perform the login operation.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `POST` | `/auth/alicloud/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role. Must correspond with the name of the role reflected in the arn.
+- `arn` `(string: <required>)` - The role's arn.
+
+@include 'tokenfields.mdx'
+
+### Sample payload
+
+```json
+{
+  "arn": "acs:ram::5138828231865461:role/dev-role",
+  "policies": ["dev", "prod"]
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
+```
+
+## Read role
+
+Returns the previously registered role configuration.
+
+| Method | Path                        |
+| :----- | :-------------------------- |
+| `GET`  | `/auth/alicloud/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
+```
+
+### Sample response
+
+```json
+{
+  "data": {
+    "arn": "acs:ram::5138828231865461:role/dev-role",
+    "policies": ["default", "dev", "prod"],
+    "ttl": 1800000,
+    "max_ttl": 1800000,
+    "period": 0
+  }
+}
+```
+
+## List roles
+
+Lists all the roles that are registered with the method.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `LIST` | `/auth/alicloud/roles` |
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/alicloud/roles
+```
+
+### Sample response
+
+```json
+{
+  "data": {
+    "keys": ["dev-role", "prod-role"]
+  }
+}
+```
+
+## Delete role
+
+Deletes the previously registered role.
+
+| Method   | Path                        |
+| :------- | :-------------------------- |
+| `DELETE` | `/auth/alicloud/role/:role` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
+```
+
+## Login
+
+Fetch a token. This endpoint verifies the signature of the signed
+GetCallerIdentity request.
+
+| Method | Path                   |
+| :----- | :--------------------- |
+| `POST` | `/auth/alicloud/login` |
+
+### Parameters
+
+- `role` `(string: <required>)` - Name of the role.
+- `identity_request_url` `(string: <required>)` - Base64-encoded HTTP URL used in
+  the signed request.
+- `identity_request_headers` `(string: <required>)` - Base64-encoded,
+  JSON-serialized representation of the sts:GetCallerIdentity HTTP request
+  headers. The JSON serialization assumes that each header key maps to either a
+  string value or an array of string values (though the length of that array
+  will probably only be one).
+
+### Sample payload
+
+```json
+{
+  "role": "dev-role",
+  "identity_request_url": "aWRlbnRpdHlabrVxdWVzdF91cmw=",
+  "identity_request_headers": "aWRlimRpdHlfcmVxdWVzdF9oZWFkZXJz"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/auth/alicloud/login
+```
+
+### Sample response
+
+```json
+{
+  "auth": {
+    "renewable": true,
+    "lease_duration": 1800000,
+    "metadata": {
+      "role_tag_max_ttl": "0",
+      "instance_id": "i-de0f1344",
+      "ami_id": "ami-fce36983",
+      "role": "dev-role",
+      "auth_type": "ec2",
+      "account_id": "5138828231865461",
+      "user_id": "216959339000654321",
+      "role_id": "4657-abcd",
+      "arn": "acs:ram::5138828231865461:assumed-role/dev-role/vm-ram-i-rj978rorvlg76urhqh7q",
+      "identity_type": "assumed-role",
+      "principal_id": "vm-ram-i-rj978rorvlg76urhqh7q",
+      "request_id": "D6E46F10-F26C-4AA0-BB69-FE2743D9AE62",
+      "role_name": "dev-role"
+    },
+    "policies": ["default", "dev"],
+    "accessor": "20b89871-e6f2-1160-fb29-31c2f6d4645e",
+    "client_token": "d9368254-3f21-aded-8a6f-7c818e81b17a"
+  }
+}
+```