5.8.0 (March 12, 2026)
FEATURES:
- Add support for CF auth backend:
vault_cf_auth_backend_configandvault_cf_auth_backend_roleresources, andvault_cf_auth_loginephemeral resource for short-lived Vault tokens. - Add support for SPIFFE secrets backend: (#2660)
- Add support for pki-external-ca secrets backend: (#2771)
- Add new KMIP resources
vault_kmip_secret_ca_generated,vault_kmip_secret_ca_imported,vault_kmip_secret_listener, and add support for thecafield invault_kmip_secret_role: (#2773) vault_secrets_sync_azure_destination: Add support for Workload Identity Federation (WIF) fieldsidentity_token_audience,identity_token_audience_wo_version,identity_token_ttl, andidentity_token_keyto enable token-based authentication with Azure. Requires Vault 2.0.0+. (#2790)vault_secrets_sync_aws_destination: Add support for Workload Identity Federation (WIF) fieldsidentity_token_audience,identity_token_ttl, andidentity_token_keyto enable token-based authentication with AWS. Requires Vault 2.0.0+. (#2792)vault_secrets_sync_gcp_destination: Add support for Workload Identity Federation (WIF) fieldsidentity_token_audience_wo,identity_token_audience_wo_version,identity_token_ttl,identity_token_key_wo,identity_token_key_wo_versionandservice_account_emailto enable token-based authentication with GCP. Requires Vault 2.0.0+. (#2798)- New Ephemeral Resource: Add ephemeral resource for
vault_generic_secret(#2735) - New Ephemeral Resource: Add ephemeral resource
vault_terraform_token, by @drewmullen (#2616)
IMPROVEMENTS:
vault_managed_keys: Add support for GCP Cloud KMS managed keys with parameters:credentials,project,key_ring,region,crypto_key,crypto_key_version, andalgorithm. (#2769)vault_okta_auth_backend: Add support for write-only field api_token_wo with version counters to prevent sensitive credentials from being stored in Terraform state. Deprecateorganizationandtokenand replace withorg_nameandapi_tokenrespectively invault_okta_auth_backendresource. (#2736)vault_kubernetes_secret_backend_role: Add support fortoken_default_audiencesfield to configure default audiences for generated Kubernetes tokens. Requires Vault 1.15+. (#2722)vault_raft_snapshot_agent_config: Add support forazure_auth_modeandazure_client_idfields for Azure Managed Identity authentication (Vault Enterprise 1.18.0+), andautoload_enabledfield for automatic snapshot restoration (Vault Enterprise 1.21.0+). (#2758)vault_ssh_secret_backend_role: Add support for fields (default_extensions_template,exclude_cidr_list,port) and improve handling of key-type-specific fields (default_extensions,default_extensions_template,exclude_cidr_list,port) to prevent drift. Fields that are not applicable to a role's key type (CA or OTP) are now conditionally set in state only when returned by Vault, preventing perpetual drift when users configure fields that Vault ignores. CA key type supports:default_extensions,default_extensions_template. OTP key type supports:port,exclude_cidr_list. (#2747)- Added remove_roots_from_chain field to
vault_pki_secret_backend_root_certandresource_pki_secret_backend_sign. (#2760) vault_pki_secret_backend_root_cert: Add support foruse_pssandkey_usagefields to configure PSS signature scheme and X.509 key usage constraints for root CA certificates. Requires Vault 1.18.0+ and 1.19.2+ respectively. (#2754)vault_pki_secret_backend_root_sign_intermediate: Add version check forkey_usagefield to ensure compatibility with Vault 1.19.2+ for configuring X.509 key usage constraints on intermediate CA certificates. (#2754)provider/auth_jwt: Add support fordistributed_claim_access_tokenfield in theauth_login_jwtconfiguration block. (#2782)vault_database_secret: Add support for additional credential types (rsa_private_key,client_certificate,private_key,private_key_type) in the ephemeral resource to support all database credential types available in Vault's database secrets engine. (#2767)- Updated dependencies:
github.com/Azure/azure-sdk-for-go/sdk/azcorev1.20.0 -> v1.21.0github.com/aws/aws-sdk-go-v2v1.32.5 -> v1.41.3github.com/aws/aws-sdk-go-v2/service/iamv1.38.1 -> v1.53.5github.com/aws/aws-sdk-go-v2/service/stsv1.33.1 -> v1.41.8github.com/aws/smithy-gov1.22.1 -> v1.24.2github.com/coreos/pkgv0.0.0-20230601102743-20bbbf26f4d8 -> v0.0.0-20240122114842-bbd7aa9bf6fbgithub.com/go-viper/mapstructure/v2v2.4.0 -> v2.5.0github.com/googleapis/enterprise-certificate-proxyv0.3.12 -> v0.3.14github.com/hashicorp/consul/apiv1.33.0 -> v1.33.4github.com/hashicorp/go-secure-stdlib/awsutil/v2v2.1.1 -> v2.1.2github.com/hashicorp/terraform-plugin-frameworkv1.16.1 -> v1.19.0github.com/hashicorp/terraform-plugin-gov0.29.0 -> v0.31.0github.com/hashicorp/terraform-plugin-muxv0.21.0 -> v0.23.0github.com/hashicorp/terraform-plugin-sdk/v2v2.38.1 -> v2.40.0github.com/hashicorp/terraform-plugin-testingv1.13.3 -> v1.15.0github.com/hashicorp/vault-plugin-auth-ociv0.20.0 -> v0.20.1github.com/hashicorp/vault/sdkv0.22.0 -> v0.23.0github.com/spiffe/go-spiffe/v2v2.5.0 -> v2.6.0golang.org/x/cryptov0.45.0 -> v0.49.0golang.org/x/netv0.47.0 -> v0.52.0golang.org/x/oauth2v0.31.0 -> v0.36.0golang.org/x/syncv0.19.0 -> v0.20.0golang.org/x/sysv0.41.0 -> v0.42.0golang.org/x/textv0.34.0 -> v0.35.0golang.org/x/timev0.14.0 -> v0.15.0golang.org/x/toolsv0.41.0 -> v0.42.0google.golang.org/apiv0.251.0 -> v0.271.0google.golang.org/genprotov0.0.0-20250603155806-513f23925822 -> v0.0.0-20260311181403-84a4fc48630cgoogle.golang.org/genproto/googleapis/apiv0.0.0-20260128011058-8636f8732409 -> v0.0.0-20260226221140-a57be14db171google.golang.org/genproto/googleapis/rpcv0.0.0-20260217215200-42d3e9bedb6d -> v0.0.0-20260226221140-a57be14db171google.golang.org/grpcv1.79.1 -> v1.79.2hashicorp/setup-terraformv3 -> v4github.com/cloudflare/circlv1.6.1 -> v1.6.3filippo.io/edwards25519v1.1.0 -> v1.1.1k8s.io/utilsv0.0.0-20240102154912-e7106e64919e -> v0.0.0-20260210185600-b8788abfbbc2
BUGS:
- Clears the bindpass field in the state file after migrating to the write-only field in
vault_ldap_auth_backendresource. (#2813)