Devoured - April 27, 2026
HashiCorp Vault 2.0 Marks Shift to IBM Lifecycle with New Identity Federation (3 minute read)

HashiCorp Vault 2.0 Marks Shift to IBM Lifecycle with New Identity Federation (3 minute read)

DevOps securityinfrastructure Read original

HashiCorp Vault 2.0 is the first major release under IBM ownership, adding workload identity federation to eliminate static cloud credentials while introducing breaking changes and a two-year support lifecycle.

What: Vault 2.0 jumps from version 1.21 to adopt IBM's versioning model after the acquisition, introducing workload identity federation that uses OIDC tokens to authenticate with AWS, Azure, and GCP without long-lived credentials, plus SCIM provisioning, SPIFFE support, and PKI automation enhancements.
Why it matters: This release signals Vault's direction after HashiCorp's 2023 license change to Business Source License sparked the OpenBao fork, and addresses a critical security gap by removing static credential requirements during secret synchronization across cloud providers.
Takeaway: Review the migration documentation if running Vault 1.x, particularly Azure authentication configurations that now require explicit settings instead of environment variable fallbacks.
Deep dive
  • The version jump from 1.21 to 2.0 reflects IBM's acquisition and support model shift, guaranteeing at least two years of standard support for major releases under the IBM Support Cycle-2 policy
  • Workload Identity Federation eliminates the need for static credentials when syncing secrets to cloud providers by using short-lived OIDC tokens, reducing the attack surface for credential leakage during synchronization
  • Internal storage engine modifications target performance improvements for high-volume operations like real-time encryption and authentication at enterprise scale
  • Breaking changes remove legacy components to simplify codebase maintenance, including Azure authentication now requiring explicit configuration rather than environment variable defaults (enforcement of changes that began in 1.20)
  • Beta SCIM 2.0 support enables automated provisioning of Vault entities and groups from external identity platforms, reducing manual identity management overhead
  • SPIFFE JWT-SVID support allows workloads to participate in SPIFFE-based identity meshes, bridging proprietary HashiCorp features with open standards
  • Enhanced PKI secret engine automation for certificate issuance and renewal aligns with zero-trust networking principles by reducing manual credential management risks
  • The release comes as teams evaluate Vault against cloud-native alternatives like AWS Secrets Manager and Azure Key Vault (tighter platform integration but less portability) and managed services like Akeyless and Doppler (no operational overhead)
  • The 2023 license change from Mozilla Public License to Business Source License prompted the community-driven OpenBao fork, making IBM's stewardship particularly important to the community
  • This is the first major version increment since version 1.0 launched in 2018, representing eight years of feature development under the 1.x line
Decoder
  • OIDC tokens: OpenID Connect tokens are short-lived authentication credentials that prove identity without storing long-term secrets
  • SCIM: System for Cross-domain Identity Management, a standard protocol for automating user and group provisioning across systems
  • SPIFFE: Secure Production Identity Framework For Everyone, an open standard for workload identity in distributed systems
  • JWT-SVID: JSON Web Token SPIFFE Verifiable Identity Document, a cryptographically-signed token format used in SPIFFE identity attestation
  • PKI: Public Key Infrastructure, the framework for managing digital certificates and encryption keys
  • Business Source License: A source-available license that restricts commercial use until code ages, then converts to open source (unlike fully open Mozilla Public License)
  • Static credentials: Long-lived access keys or passwords that don't expire automatically, creating security risks if leaked
Original article

HashiCorp released Vault 2.0 under IBM's versioning model with two-year support, introducing identity-based security, workload identity federation without static credentials, performance improvements, and breaking changes while adding SCIM, SPIFFE support, and enhanced PKI automation.