External Secrets - Failure to Reload secrets from Azure Key Vault

milkyway9873 · April 2, 2026, 5:26am

Describe the problem/error/question

When hooking up Azure Key Vault, we are observing that the connected service principal must have “Key Vault Secrets User” role scoped to the entire key vault. RBAC controls scoping the service principal to “Key Vault Reader” on the vault itself but only “Key Vault Secrets User” to specific secrets results in errors upon reloading secrets. Additionally, even if the service principal has “Key Vault Secrets User” role scoped to the entire vault, one disabled secret results in the same observed error.

The only successful outcome is to scope the service principal to either:
a) “Key Vault Reader” scoped to the key vault and “Key Vault Secrets User” scoped to each secret.
b) “Key Vault Secrets User” scoped to the entire key vault.

This sounds similar to Azure Vault stopped working with error 400 - #6 by jbenway

What is the error message (if any)?

Error

Reload failed

Information on your n8n setup

n8n version: 2.14.2
Running n8n via n8n cloud

tamy.santos · April 2, 2026, 9:49am

Welcome to the n8n community @milkyway9873
From my point of view, for now, the safest workaround seems to be granting Key Vault Reader at vault scope and Key Vault Secrets User only on the specific secrets n8n should read, and keeping disabled secrets out of the vault used by n8n. This preserves least privilege while still allowing reload to work.

achamm · April 2, 2026, 11:30am

Yeah this looks like a bug on n8n’s side, when it reloads it tries to fetch every secret in the vault and if even one is disabled or inaccessible the whole thing fails. For now I’d move any disabled secrets to a separate vault so the reload doesnt choke on them.