--- layout: docs page_title: "1.17.0 release notes" description: |- Key updates for Vault 1.17.0 --- # Vault 1.17.0 release notes **GA date:** 2024-06-12 @include 'release-notes/intro.mdx' ## Important changes | Change | Description | |------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| | New default (1.17) | [Allowed audit headers now have unremovable defaults](/vault/docs/upgrading/upgrade-to-1.17.x#audit-headers) | | Opt out feature (1.17) | [PKI sign-intermediate now truncates `notAfter` field to signing issuer](/vault/docs/upgrading/upgrade-to-1.17.x#pki-truncate) | | Beta feature deprecated (1.17) | [Request limiter deprecated](/vault/docs/upgrading/upgrade-to-1.17.x#request-limiter) | | Known issue (1.17.0+) | [PKI OCSP GET requests can return HTTP redirect responses](/vault/docs/upgrading/upgrade-to-1.17.x#pki-ocsp) | | Known issue (1.17.0) | [Vault Agent and Vault Proxy consume excessive amounts of CPU](/vault/docs/upgrading/upgrade-to-1.17.x#agent-proxy-cpu-1-17) | | Known issue (1.15.8 - 1.15.9, 1.16.0 - 1.16.3) | [Autopilot upgrade for Vault Enterprise fails](/vault/docs/upgrading/upgrade-to-1.16.x#new-nodes-added-by-autopilot-upgrades-provisioned-with-the-wrong-version) | | Known issue (1.17.0 - 1.17.2) | [Vault standby nodes not deleting removed entity-aliases from in-memory database](/vault/docs/upgrading/upgrade-to-1.17.x#dangling-entity-alias-in-memory) | | Known issue (1.17.0 - 1.17.3) | [AWS Auth AssumeRole requires an external ID even if none is set](/vault/docs/upgrading/upgrade-to-1.17.x#aws-auth-role-configuration-requires-an-external_id) | | Known Issue (0.7.0+) | [Duplicate identity groups created](/vault/docs/upgrading/upgrade-to-1.17.x#duplicate-identity-groups-created-when-concurrent-requests-sent-to-the-primary-and-pr-secondary-cluster) | Known Issue (0.7.0+) | [Manual entity merges fail](/vault/docs/upgrading/upgrade-to-1.17.x#manual-entity-merges-sent-to-a-pr-secondary-cluster-are-not-persisted-to-storage) | Known Issue (1.17.3-1.17.4) | [Some values in the audit logs not hmac'd properly](/vault/docs/upgrading/upgrade-to-1.17.x#client-tokens-and-token-accessors-audited-in-plaintext) | Known Issue (1.17.0-1.17.5) | [Cached activation flags for secrets sync on follower nodes are not updated](/vault/docs/upgrading/upgrade-to-1.17.x#cached-activation-flags-for-secrets-sync-on-follower-nodes-are-not-updated) ## Vault companion updates Companion updates are Vault updates that live outside the main Vault binary. **None**. ## Core updates Follow the learn more links for more information, or browse the list of [Vault tutorials updated to highlight changes for the most recent GA release](/vault/tutorials/new-release).

Release	Update	Description
Security patches	ENHANCED	Various security improvements to remediate varying severity and informational findings from a 3rd party security audit.
Vault Agent and Vault Proxy self-healing tokens	ENHANCED	Auto-authentication avoids agent/proxy restarts and config changes by automatically re-authenticating authN tokens to Vault. Learn more: Vault Agent and Vault Proxy auto-auth

## Enterprise updates

Release	Update	Description
Adaptive overload protection	BETA	Prevent client requests from overwhelming a variety of server resources that could lead to poor server availability. Learn more: Adaptive overload protection overview
ACME Client Count	ENHANCED	To improve clarity around client counts, Vault now separates ACME clients from non-entity clients.
Public Key Infrastructure (PKI)	GA	Automate certificate lifecycle management for IoT/EST enabled devices with native EST protocol support. Learn more: Enrollment over Secure Transport (EST) overview
GA	Submit custom metadata with certificate requests and store the additional information in Vault for further analysis. Learn more: PKI secrets engine API
Resource management	ENHANCED	Vault now supports a greater number of namespaces and mounts for large-scale Vault installations.
GA	Use hierarchical mount paths to organize, manage, and control access to secret engine objects.
GA	Safely override the max entry size to set different limits for specific storage entries that contain mount tables, auth tables and namespace configuration data. Learn more: `max_mount_and_namespace_table_entry_size` parameter
Transit	GA	Use cipher-based message authentication code (CMAC) with AES symmetric keys in the Vault Transit plugin. Learn more: CMAC support
Plugin identity tokens	GA	Enable AWS, Azure, and GCP authentication flows with workload identity federation (WIF) tokens from the associated secrets plugins without explicitly configuring sensitive security credentials. Learn more: Plugin WIF overview
LDAP Secrets Engine	GA	Use hierarchical paths with roles and set names to define policies that map 1-1 to LDAP secrets engine roles. Learn more: Hierarchical paths overview
Clock skew and lag detection	GA	Use the `sys/health` and `sys/ha-status` endpoints to display lags in performance secondaries and performance standby nodes. Learn more: Clock skew and replication lag overview

## Feature deprecations and EOL Deprecated in 1.17 | Retired in 1.17 ------------------ | --------------- None | Centrify Auth plugin @include 'release-notes/deprecation-note.mdx'