[PUBLISH] vault/1.21.x (#1077)

* Create 1.21 docset
* Rename 1.21 folder to mark it as an rc docset
* Add documentation for new secret list parameter
* Add role count product usage metrics
* Add docs for client first used time
* Add api-docs field description and docs feature explanation
* Change description for token creation time
* Add docs for AES-CBC
* Add api docs for derivedkeys
* Add field documentation and info
* Fix LDAP docs referencing Azure by mistake
* Add reference
* Add more info about setting up CMEK for GCP sync
* Add section to api docs on batch-fetch certificates.
* VAULT-37634, VAULT-36946: Census metrics for recover capability and auto snapshot config counts (#864)
* VAULT-37633: Database static role recover (#884)
* VAULT-38654: Docs for autoloading snapshots (#890)
* Update gcpsm.mdx
* Add docs & api-docs for Azure Secrets Static Roles
* VAULT-37037 docs for Vault proxy update (#923)
* Add docs for KV v2 Version Attribution
* [VAULT-39627] Add GUI steps for Secret Engine mount tune.
* Prep update docs for 1.21
* Add missing version table
* Add SPIFFE auth plugin docs
* add docs to Setup login MFA
* cumulative api docs
* add missing partial
* Correct partial paths for summary tables
* Add metrics docs changes
* add documentation for oracle
* add TOTP support to login MFA types
* create a partial alert for tech preview, add another sample request and response
* Add missing important change info and remove empty release notes
* [VAULT] GA to RC sync 20251002 (#1052)
* Fix endpoint_url description within https_spiffe_bundle section in API docs
* Clarify only one enforcement can be configured for web UI self-enroll
* Update metadata docs
* Final pre-publication sync (#1076)
* Fix important changes pages

---------

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Eleonore Carpentier <shaeli@github.com>
Co-authored-by: Ellie Sterner <ellie.sterner@hashicorp.com>
Co-authored-by: akshya96 <araghavan@hashicorp.com>
Co-authored-by: robmonte <17119716+robmonte@users.noreply.github.com>
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
Co-authored-by: rculpepper <rculpepper@hashicorp.com>
Co-authored-by: Kit Haines <khaines@mit.edu>
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Co-authored-by: miagilepner <miagilepner@gmail.com>
Co-authored-by: Milena Zlaticanin <Milena.Zlaticanin@ibm.com>
Co-authored-by: Zlaticanin <60530402+Zlaticanin@users.noreply.github.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Co-authored-by: Yoko Hyakuna <yoko.hyakuna1@ibm.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Co-authored-by: Jaired Jawed <jaired.jawed@hashicorp.com>
Co-authored-by: Jaired Jawed <me@jairedjawed.com>
Co-authored-by: Vinay Gopalan <vinay@hashicorp.com>
Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
Co-authored-by: Shannon Roberts <shannon.roberts@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Shannon Roberts (Beagin) <beagins@users.noreply.github.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
Co-authored-by: Jenny Deng <jenny.deng@hashicorp.com>
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
Co-authored-by: Guilherme Santos <157053549+gsantos-hc@users.noreply.github.com>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>

Author: 22 people

content/vault/global/partials/important-changes/summary-tables/1_20.mdx

@@ -30,6 +30,6 @@ Found  | Fixed  | Workaround | Edition    | Issue
 1.20.0 | 1.20.1 | **Yes**    | All        | [GUI navigation error for KV v2 secret paths containing underscores](/vault/docs/v1.20.x/updates/important-changes#ui-kvv2-underscore-secrets)
 1.18.4 | No     | **Yes**    | All        | [Failing credential refresh for Snowflake DB secrets engine key pair authentication](/vault/docs/v1.20.x/updates/important-changes#snowflake-keypair-refresh)
 1.20.0 | 1.20.1 | **Yes**    | All        | [Duplicate LDAP password rotations on standby node check-in](/vault/docs/v1.20.x/updates/important-changes#ldap-checkin)
-1.19.0 | No     | No         | All        | [Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag](/vault/docs/v1.20.x/updates/important-changes#local-auth-known-issue)
-1.19.0 | No     | **Yes**    | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.20.x/updates/important-changes#missed-events)
+1.20.0 | No     | No         | All        | [Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag](/vault/docs/v1.20.x/updates/important-changes#local-auth-known-issue)
+1.20.0 | No     | **Yes**    | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.20.x/updates/important-changes#missed-events)
 1.20.0 | No     | No         | Enterprise | [Full seal rewraps occur on DR/PR failover with multi-seal enabled](/vault/docs/v1.20.x/updates/important-changes#multi-seal-rewrap)

content/vault/global/partials/important-changes/summary-tables/1_21.mdx

@@ -0,0 +1,16 @@
+### Breaking changes
+
+Introduced | Recommendations | Edition    | Change
+---------- | --------------- | ---------- | ------
+1.21.0     | **Yes**         | All        | [Audiences required for Kubernetes authentication roles](/vault/docs/v1.21.x/updates/important-changes#k8-audience-required)
+
+
+### New behavior
+
+None.
+
+### Known issues
+
+Found  | Fixed  | Workaround | Edition    | Issue
+------ |--------| ---------- | ---------- | -----
+1.21.0 | No     | **Yes**    | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.21.x/updates/important-changes#missed-events)

content/vault/v1.18.x/content/docs/auth/login-mfa/index.mdx

@@ -254,7 +254,7 @@ $ vault write identity/mfa/method/totp \
    digits=6
 ```
 
-Using the TOTP `method_id` and an `entity_id` from after a sucessful MFA login.  Use these to generate a QR code.
+Vault generates an `entity_id` for users after a successful login. Use the TOTP `method_id` and the `entity_id` of the target user to generate a QR code.
 
 ```shell-session
 $ vault write -field=barcode \

content/vault/v1.19.x/content/docs/auth/ldap.mdx

@@ -230,7 +230,7 @@ of the root credential until the field is reset to `false`. If you use
 `rotation_period`, setting `disable_automated_rotation` also resets the credential
 TTL.
 
-For more details on rotating root credentials in the Azure plugin, refer to the
+For more details on rotating root credentials in the LDAP plugin, refer to the
 [Root credential rotation](/vault/api-docs/auth/ldap#rotate-root) API docs.
 
 @include 'rotation-manager-logging.mdx'

content/vault/v1.19.x/content/docs/auth/login-mfa/index.mdx

@@ -258,7 +258,7 @@ $ vault write identity/mfa/method/totp \
    digits=6
 ```
 
-Using the TOTP `method_id` and an `entity_id` from after a sucessful MFA login.  Use these to generate a QR code.
+Vault generates an `entity_id` for users after a successful login. Use the TOTP `method_id` and the `entity_id` of the target user to generate a QR code.
 
 ```shell-session
 $ vault write -field=barcode \

content/vault/v1.19.x/content/docs/secrets/ldap.mdx

@@ -155,7 +155,7 @@ of the root credential until the field is reset to `false`. If you use
 `rotation_period`, setting `disable_automated_rotation` also resets the credential
 TTL.
 
-For more details on rotating root credentials in the Azure plugin, refer to the
+For more details on rotating root credentials in the LDAP plugin, refer to the
 [Root credential rotation](/vault/api-docs/secret/ldap#rotate-root) API docs.
 
 @include 'rotation-manager-logging.mdx'

content/vault/v1.20.x/content/api-docs/system/secrets-sync.mdx

@@ -403,7 +403,7 @@ This endpoint creates a destination to synchronize secrets with the GCP Secret M
   store replicated secrets. Note that secrets remain globally readable regardless of the selected locations.
 
 - `locational_kms_keys` `(map<string|string>: nil)` - A map of location names to KMS key names to leverage customer-managed encryption keys for
-  encryption at rest. Each pair follows the format `location_name=encryption_key_resource_ID`. Refer to the
+  encryption at rest. Each pair follows the format `location_name=encryption_key_resource_name`. Refer to the
   [sample payloads](#sample-payloads) for more details.
 
 - `secret_name_template` `(string: "")` - Template to use when generating the secret names on the external system.

content/vault/v1.20.x/content/docs/auth/ldap.mdx

@@ -240,7 +240,7 @@ of the root credential until the field is reset to `false`. If you use
 `rotation_period`, setting `disable_automated_rotation` also resets the credential
 TTL.
 
-For more details on rotating root credentials in the Azure plugin, refer to the
+For more details on rotating root credentials in the LDAP plugin, refer to the
 [Root credential rotation](/vault/api-docs/auth/ldap#rotate-root) API docs.
 
 @include 'rotation-manager-logging.mdx'

content/vault/v1.20.x/content/docs/auth/login-mfa/index.mdx

@@ -258,7 +258,7 @@ $ vault write identity/mfa/method/totp \
    digits=6
 ```
 
-Using the TOTP `method_id` and an `entity_id` from after a sucessful MFA login.  Use these to generate a QR code.
+Vault generates an `entity_id` for users after a successful login. Use the TOTP `method_id` and the `entity_id` of the target user to generate a QR code.
 
 ```shell-session
 $ vault write -field=barcode \

content/vault/v1.20.x/content/docs/license/product-usage-reporting.mdx

@@ -169,9 +169,15 @@ All of these metrics are numerical, and contain no sensitive values or additiona
 | `vault.secret.engine.activedirectory.count`                         | The total number of Active Directory secret engines in Vault.                                              |
 | `vault.secret.engine.alicloud.count`                                | The total number of Alicloud secret engines in Vault.                                                      |
 | `vault.secret.engine.aws.count`                                     | The total number of AWS secret engines in Vault.                                                           |
+| `vault.secret.engine.aws.dynamic.role.count`                        | The total number of AWS dynamic roles in Vault.                                                            |
+| `vault.secret.engine.aws.static.role.count`                         | The total number of AWS static roles in Vault.                                                             |
 | `vault.secret.engine.azure.count`                                   | The total number of Azure secret engines in Vault.                                                         |
+| `vault.secret.engine.azure.dynamic.role.count`                      | The total number of Azure dynamic roles in Vault.                                                          |
 | `vault.secret.engine.consul.count`                                  | The total number of Consul secret engines in Vault.                                                        |
 | `vault.secret.engine.gcp.count`                                     | The total number of GCP secret engines in Vault.                                                           |
+| `vault.secret.engine.gcp.impersonated.account.count`                | The total number of GCP impersonated accounts in Vault.                                                    |
+| `vault.secret.engine.gcp.roleset.count`                             | The total number of GCP rolesets in Vault.                                                                 |
+| `vault.secret.engine.gcp.static.role.count`                         | The total number of GCP static roles in Vault.                                                             |
 | `vault.secret.engine.gcpkms.count`                                  | The total number of GCPKMS secret engines in Vault.                                                        |
 | `vault.secret.engine.kubernetes.count`                              | The total number of Kubernetes secret engines in Vault.                                                    |
 | `vault.secret.engine.cassandra.count`                               | The total number of Cassandra secret engines in Vault.                                                     |
@@ -181,11 +187,15 @@ All of these metrics are numerical, and contain no sensitive values or additiona
 | `vault.secret.engine.mongodb.count`                                 | The total number of MongoDB secret engines in Vault.                                                       |
 | `vault.secret.engine.mongodbatlas.count`                            | The total number of MongoDBAtlas secret engines in Vault.                                                  |
 | `vault.secret.engine.mssql.count`                                   | The total number of MSSql secret engines in Vault.                                                         |
-| `vault.secret.engine.mysql.count`                                   | The total number of MySQL secret engines in Vault. |
+| `vault.secret.engine.mysql.count`                                   | The total number of MySQL secret engines in Vault.                                                         |
 | `vault.secret.engine.postgresql.count`                              | The total number of Postgresql secret engines in Vault.                                                    |
 | `vault.secret.engine.nomad.count`                                   | The total number of Nomad secret engines in Vault.                                                         |
 | `vault.secret.engine.ldap.count`                                    | The total number of LDAP secret engines in Vault.                                                          |
+| `vault.secret.engine.ldap.dynamic.role.count`                       | The total number of LDAP dynamic roles in Vault.                                                           |
+| `vault.secret.engine.ldap.static.role.count`                        | The total number of LDAP static roles in Vault.                                                            |
 | `vault.secret.engine.openldap.count`                                | The total number of OpenLDAP secret engines in Vault.                                                      |
+| `vault.secret.engine.openldap.dynamic.role.count`                   | The total number of OpenLDAP dynamic roles in Vault.                                                       |
+| `vault.secret.engine.openldap.static.role.count`                    | The total number of OpenLDAP static roles in Vault.                                                        |
 | `vault.secret.engine.pki.count`                                     | The total number of PKI secret engines in Vault.                                                           |
 | `vault.secret.engine.rabbitmq.count`                                | The total number of RabbitMQ secret engines in Vault.                                                      |
 | `vault.secret.engine.ssh.count`                                     | The total number of SSH secret engines in Vault.                                                           |
@@ -194,6 +204,8 @@ All of these metrics are numerical, and contain no sensitive values or additiona
 | `vault.secret.engine.transform.count`                               | The total number of Transform secret engines in Vault.                                                     |
 | `vault.secret.engine.transit.count`                                 | The total number of Transit secret engines in Vault.                                                       |
 | `vault.secret.engine.database.count`                                | The total number of Database secret engines in Vault.                                                      |
+| `vault.secret.engine.database.dynamic.role.count`                   | The total number of Database dynamic roles in Vault.                                                       |
+| `vault.secret.engine.database.static.role.count`                    | The total number of Database static roles in Vault.                                                        |
 | `vault.secret.engine.plugin.count`                                  | The total number of custom plugin secret engines in Vault.                                                 |
 | `vault.secretsync.sources.count`                                    | The total number of secret sources configured for secret sync.                                             |
 | `vault.secretsync.destinations.count`                               | The total number of secret destinations configured for secret sync.                                        |