[PUBLISH] vault/202509 (#969)

* VSO CSI driver documentation (#691)
* Adding documentation for Vault MCP Server (#948)
* docs: security model for vault mcp server (#970)

Author: RubenSandwich

content/vault/v1.16.x/content/api-docs/secret/databases/snowflake.mdx

@@ -43,8 +43,12 @@ has a number of parameters to further configure a connection.
 
 - `connection_url` `(string: <required>)` - Specifies the Snowflake DSN. This field
   can be templated and supports passing the username and password
-  parameters in the following format `{{field_name}}`. A templated connection URL is
-  required when using root credential rotation.
+  parameters in the format `{{field_name}}` when you use password authentication.
+  If you use root credential rotation for passwords, you must provide a templated
+  connection URL. Refer to the
+  [Snowflake secrets engine docs](/vault/docs/secrets/databases/snowflake#setup)
+  for more information on the connection URL format requirements for different
+  authentication methods.
 
 - `max_open_connections` `(int: 4)` - Specifies the maximum number of open
   connections to the database.

content/vault/v1.16.x/content/docs/secrets/databases/snowflake.mdx

@@ -11,8 +11,8 @@ description: |-
 
 <Warning title="Password authentication removal">
     Snowflake is disabling password authentication for all users in&nbsp;
-    <a href="https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification">November of 2025.</a>    
-    &nbsp;HashiCorp is working to support key pair authentication in place of passwords.
+    <a href="https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification">November of 2025.</a>
+    &nbsp;HashiCorp has added support for key pair authentication in place of passwords.
 </Warning>
 
 Snowflake is one of the supported plugins for the database secrets engine. This plugin
@@ -29,7 +29,7 @@ The Snowflake database secrets engine uses
 
 | Plugin Name                 | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types          |
 | --------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------|
-| `snowflake-database-plugin` | Yes                      | Yes           | Yes          | Yes (1.8+)             | password(deprecated), rsa_private_key |
+| `snowflake-database-plugin` | Password-only            | Yes           | Yes          | Yes (1.8+)             | password(deprecated), rsa_private_key |
 
 ## Setup
 
@@ -43,7 +43,7 @@ The Snowflake database secrets engine uses
     By default, the secrets engine will enable at the name of the engine. To
     enable the secrets engine at a different path, use the `-path` argument.
 
-1.  Configure Vault with the proper plugin and connection information:
+1.  Configure Vault with userpass authentication:
 
     ```shell-session
     $ vault write database/config/my-snowflake-database \
@@ -71,9 +71,41 @@ The Snowflake database secrets engine uses
 
     `db_name` is the name of a database in your Snowflake instance.
 
-    ~> **Note:** The user being utilized should have `ACCOUNT_ADMIN` privileges, and should be different
-    from the root user you were provided when making your Snowflake account. This allows you to rotate
-    the root credentials and still be able to access your account.
+1.  Configure Vault with keypair authentication. Do not provide templated or
+    hard-coded username or password information in the connection URL if you use
+    key-pair authentication. The Snowflake plugin appropriately constructs the
+    full DSN using the provided `username` and `private_key` to authenticate to
+    Snowflake:
+
+    ```shell-session
+    $ vault write database/config/my-snowflake-database \
+        plugin_name=snowflake-database-plugin \
+        allowed_roles="my-role" \
+        connection_url="<account>.snowflakecomputing.com/<db_name>" \
+        username="vaultuser" \
+        private_key=@key.pem
+    ```
+
+    The connection URL must include the following parameters in addition to any
+    optional query parameters:
+
+    - `account` - your Snowflake account identifier. Refer to the
+      [`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters)
+      of the connection parameters for Snowflake ODBC configuration details.
+
+    - `db_name` the name of a database in your Snowflake instance.
+
+    For example:
+
+    ```text
+    ecxxxx.west-us-1.azure.snowflakecomputing.com/my_app_data
+    ```
+
+
+You must provide Vault with a Snowflake user that has `ACCOUNT_ADMIN` privileges. We
+strongly recommend using a unique user account for Vault access so Vault can
+rotate the associated root credentials without disrupting the account associated
+with your Snowflake account or other Snowflake users on the account.
 
 ## Usage
 

content/vault/v1.17.x/content/api-docs/secret/databases/snowflake.mdx

@@ -43,8 +43,12 @@ has a number of parameters to further configure a connection.
 
 - `connection_url` `(string: <required>)` - Specifies the Snowflake DSN. This field
   can be templated and supports passing the username and password
-  parameters in the following format `{{field_name}}`. A templated connection URL is
-  required when using root credential rotation.
+  parameters in the format `{{field_name}}` when you use password authentication.
+  If you use root credential rotation for passwords, you must provide a templated
+  connection URL. Refer to the
+  [Snowflake secrets engine docs](/vault/docs/secrets/databases/snowflake#setup)
+  for more information on the connection URL format requirements for different
+  authentication methods.
 
 - `max_open_connections` `(int: 4)` - Specifies the maximum number of open
   connections to the database.

content/vault/v1.17.x/content/docs/secrets/databases/snowflake.mdx

@@ -11,8 +11,8 @@ description: |-
 
 <Warning title="Password authentication removal">
     Snowflake is disabling password authentication for all users in&nbsp;
-    <a href="https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification">November of 2025.</a>    
-    &nbsp;HashiCorp is working to support key pair authentication in place of passwords.
+    <a href="https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification">November of 2025.</a>
+    &nbsp;HashiCorp has added support for key pair authentication in place of passwords.
 </Warning>
 
 Snowflake is one of the supported plugins for the database secrets engine. This plugin
@@ -29,7 +29,7 @@ The Snowflake database secrets engine uses
 
 | Plugin Name                 | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types          |
 | --------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------|
-| `snowflake-database-plugin` | Yes                      | Yes           | Yes          | Yes (1.8+)             | password(deprecated), rsa_private_key |
+| `snowflake-database-plugin` | Password-only            | Yes           | Yes          | Yes (1.8+)             | password(deprecated), rsa_private_key |
 
 ## Setup
 
@@ -43,7 +43,7 @@ The Snowflake database secrets engine uses
     By default, the secrets engine will enable at the name of the engine. To
     enable the secrets engine at a different path, use the `-path` argument.
 
-1.  Configure Vault with the proper plugin and connection information:
+1.  Configure Vault with userpass authentication:
 
     ```shell-session
     $ vault write database/config/my-snowflake-database \
@@ -71,9 +71,40 @@ The Snowflake database secrets engine uses
 
     `db_name` is the name of a database in your Snowflake instance.
 
-    ~> **Note:** The user being utilized should have `ACCOUNT_ADMIN` privileges, and should be different
-    from the root user you were provided when making your Snowflake account. This allows you to rotate
-    the root credentials and still be able to access your account.
+1.  Configure Vault with keypair authentication. Do not provide templated or
+    hard-coded username or password information in the connection URL if you use
+    key-pair authentication. The Snowflake plugin appropriately constructs the
+    full DSN using the provided `username` and `private_key` to authenticate to
+    Snowflake:
+
+    ```shell-session
+    $ vault write database/config/my-snowflake-database \
+        plugin_name=snowflake-database-plugin \
+        allowed_roles="my-role" \
+        connection_url="<account>.snowflakecomputing.com/<db_name>" \
+        username="vaultuser" \
+        private_key=@key.pem
+    ```
+
+    The connection URL must include the following parameters (additional query parameters are not supported in Vault 1.17):
+
+    - `account` - your Snowflake account identifier. Refer to the
+      [`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters)
+      of the connection parameters for Snowflake ODBC configuration details.
+
+    - `db_name` the name of a database in your Snowflake instance.
+
+    For example:
+
+    ```text
+    ecxxxx.west-us-1.azure.snowflakecomputing.com/my_app_data
+    ```
+
+
+You must provide Vault with a Snowflake user that has `ACCOUNT_ADMIN` privileges. We
+strongly recommend using a unique user account for Vault access so Vault can
+rotate the associated root credentials without disrupting the account associated
+with your Snowflake account or other Snowflake users on the account.
 
 ## Usage
 

content/vault/v1.18.x/content/api-docs/secret/databases/snowflake.mdx

@@ -43,8 +43,12 @@ has a number of parameters to further configure a connection.
 
 - `connection_url` `(string: <required>)` - Specifies the Snowflake DSN. This field
   can be templated and supports passing the username and password
-  parameters in the following format `{{field_name}}`. A templated connection URL is
-  required when using root credential rotation.
+  parameters in the format `{{field_name}}` when you use password authentication.
+  If you use root credential rotation for passwords, you must provide a templated
+  connection URL. Refer to the
+  [Snowflake secrets engine docs](/vault/docs/secrets/databases/snowflake#setup)
+  for more information on the connection URL format requirements for different
+  authentication methods.
 
 - `max_open_connections` `(int: 4)` - Specifies the maximum number of open
   connections to the database.

content/vault/v1.18.x/content/docs/secrets/databases/snowflake.mdx

@@ -11,8 +11,8 @@ description: >-
 
 <Warning title="Password authentication removal">
     Snowflake is disabling password authentication for all users in&nbsp;
-    <a href="https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification">November of 2025.</a>    
-    &nbsp;HashiCorp is working to support key pair authentication in place of passwords.
+    <a href="https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification">November of 2025.</a>
+    &nbsp;HashiCorp has added support for key pair authentication in place of passwords.
 </Warning>
 
 Snowflake is one of the supported plugins for the database secrets engine. This plugin
@@ -29,7 +29,7 @@ The Snowflake database secrets engine uses
 
 | Plugin Name                 | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types          |
 | --------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------|
-| `snowflake-database-plugin` | Yes                      | Yes           | Yes          | Yes (1.8+)             | password(deprecated), rsa_private_key |
+| `snowflake-database-plugin` | Password-only            | Yes           | Yes          | Yes (1.8+)             | password(deprecated), rsa_private_key |
 
 ## Setup
 
@@ -43,7 +43,7 @@ The Snowflake database secrets engine uses
     By default, the secrets engine will enable at the name of the engine. To
     enable the secrets engine at a different path, use the `-path` argument.
 
-1.  Configure Vault with the proper plugin and connection information:
+1.  Configure Vault with userpass authentication:
 
     ```shell-session
     $ vault write database/config/my-snowflake-database \
@@ -71,9 +71,41 @@ The Snowflake database secrets engine uses
 
     `db_name` is the name of a database in your Snowflake instance.
 
-    ~> **Note:** The user being utilized should have `ACCOUNT_ADMIN` privileges, and should be different
-    from the root user you were provided when making your Snowflake account. This allows you to rotate
-    the root credentials and still be able to access your account.
+1.  Configure Vault with keypair authentication. Do not provide templated or
+    hard-coded username or password information in the connection URL if you use
+    key-pair authentication. The Snowflake plugin appropriately constructs the
+    full DSN using the provided `username` and `private_key` to authenticate to
+    Snowflake:
+
+    ```shell-session
+    $ vault write database/config/my-snowflake-database \
+        plugin_name=snowflake-database-plugin \
+        allowed_roles="my-role" \
+        connection_url="<account>.snowflakecomputing.com/<db_name>" \
+        username="vaultuser" \
+        private_key=@key.pem
+    ```
+    
+    The connection URL must include the following parameters in addition to any
+    optional query parameters:
+
+    - `account` - your Snowflake account identifier. Refer to the
+      [`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters)
+      of the connection parameters for Snowflake ODBC configuration details.
+
+    - `db_name` the name of a database in your Snowflake instance.
+
+    For example:
+
+    ```text
+    ecxxxx.west-us-1.azure.snowflakecomputing.com/my_app_data
+    ```
+
+
+You must provide Vault with a Snowflake user that has `ACCOUNT_ADMIN` privileges. We
+strongly recommend using a unique user account for Vault access so Vault can
+rotate the associated root credentials without disrupting the account associated
+with your Snowflake account or other Snowflake users on the account.
 
 ## Usage
 

content/vault/v1.19.x/content/api-docs/secret/databases/snowflake.mdx

@@ -43,8 +43,12 @@ has a number of parameters to further configure a connection.
 
 - `connection_url` `(string: <required>)` - Specifies the Snowflake DSN. This field
   can be templated and supports passing the username and password
-  parameters in the following format `{{field_name}}`. A templated connection URL is
-  required when using root credential rotation.
+  parameters in the format `{{field_name}}` when you use password authentication.
+  If you use root credential rotation for passwords, you must provide a templated
+  connection URL. Refer to the
+  [Snowflake secrets engine docs](/vault/docs/secrets/databases/snowflake#setup)
+  for more information on the connection URL format requirements for different
+  authentication methods.
 
 - `max_open_connections` `(int: 4)` - Specifies the maximum number of open
   connections to the database.

content/vault/v1.19.x/content/docs/secrets/databases/snowflake.mdx

@@ -71,34 +71,36 @@ The Snowflake database secrets engine uses
 
     `db_name` is the name of a database in your Snowflake instance.
 
-    ~> **Note:** The user being utilized should have `ACCOUNT_ADMIN` privileges, and should be different
-    from the root user you were provided when making your Snowflake account. This allows you to rotate
-    the root credentials and still be able to access your account.
-
-1.  Configure Vault with keypair authentication:
+1.  Configure Vault with keypair authentication. Do not provide templated or
+    hard-coded username or password information in the connection URL if you use
+    key-pair authentication. The Snowflake plugin appropriately constructs the
+    full DSN using the provided `username` and `private_key` to authenticate to
+    Snowflake:
 
     ```shell-session
     $ vault write database/config/my-snowflake-database \
         plugin_name=snowflake-database-plugin \
         allowed_roles="my-role" \
-        connection_url="ecxxxx.west-us-1.azure.snowflakecomputing.com/db_name" \
+        connection_url="<account>.snowflakecomputing.com/<db_name>" \
         username="vaultuser" \
         private_key=@key.pem
     ```
 
-You must provide properly formatted data source names (DSN) when you configure
-the database in the following format. When using key-pair authentication, do not
-provide any templates in the DSN:
+    The connection URL must include the following parameters in addition to any
+    optional query parameters:
+
+    - `account` - your Snowflake account identifier. Refer to the
+      [`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters)
+      of the connection parameters for Snowflake ODBC configuration details.
 
-```shell-session
-<account>.snowflakecomputing.com/<db_name>
-```
+    - `db_name` the name of a database in your Snowflake instance.
 
-- `account` - your Snowflake account identifier. Refer to the
-[`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters)
-of the connection parameters for Snowflake ODBC configuration for further details.
+    For example:
+
+    ```text
+    ecxxxx.west-us-1.azure.snowflakecomputing.com/my_app_data
+    ```
 
-- `db_name` the name of a database in your Snowflake instance.
 
 You must provide Vault with a Snowflake user that has `ACCOUNT_ADMIN` privileges. We
 strongly recommend using a unique user account for Vault access so Vault can

content/vault/v1.20.x/content/api-docs/secret/databases/snowflake.mdx

@@ -43,8 +43,12 @@ has a number of parameters to further configure a connection.
 
 - `connection_url` `(string: <required>)` - Specifies the Snowflake DSN. This field
   can be templated and supports passing the username and password
-  parameters in the following format `{{field_name}}`. A templated connection URL is
-  required when using root credential rotation.
+  parameters in the format `{{field_name}}` when you use password authentication.
+  If you use root credential rotation for passwords, you must provide a templated
+  connection URL. Refer to the
+  [Snowflake secrets engine docs](/vault/docs/secrets/databases/snowflake#setup)
+  for more information on the connection URL format requirements for different
+  authentication methods.
 
 - `max_open_connections` `(int: 4)` - Specifies the maximum number of open
   connections to the database.

content/vault/v1.20.x/content/docs/auth/approle/approle-pattern.mdx

@@ -301,7 +301,7 @@ In any trusted broker situation, the broker (in this case, the Jenkins worker) m
 Also, as the Vault audit logs provide time-stamped events, monitor the whole process with alerts on two events:
 
 - When a wrapped SecretID is requested for an AppRole, and no Jenkins job is running
-- When the Jenkins slave attempts to unwrap the token and Vault refuses as the token has already been used
+- When the Jenkins agent attempts to unwrap the token and Vault refuses as the token has already been used
 
 In both cases, this shows that the trusted-broker workflow has likely been compromised and the event should investigated.
 
@@ -311,3 +311,4 @@ In both cases, this shows that the trusted-broker workflow has likely been compr
 - [Response wrapping concept](/vault/docs/concepts/response-wrapping)
 - [ACL policies](/vault/docs/concepts/policies)
 - [Token periods and TTLs](/vault/docs/concepts/tokens#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
+- [Vault Secrets Operator CSI driver](/vault/docs/platform/k8s/vso/csi) for providing response-wrapped secret IDs to Kubernetes pods