I have several n8n instances deployed in Kubernetes (using the helm chart by 8gears). All is good, they work quite good, especially considering it’s in a mix of vSphere and Kubernetes.
Each one is running with two dedicated worker pod along with the main one. All separated in dedicated namespace and databases.

My question is: how N8N_BLOCK_ENV_ACCESS_IN_NODE is supposed to work?

The documentation say :

Whether to allow users to access environment variables in expressions and the Code node (false) or not (true).

Which is what I did but found that it does not prevent a code node to access theses variables!

Well the screenshot it quite weird, it clearly print the vars that say it shouldn’t be able to access it! :laughing:
I’ve checked manually on all pods and they all have the boolean to true.

Am I missing something? If that’s the expected behavior, how can I prevent user from accessing them?

My concern is that when you print the full env, you can therefor get the path where the secrets are stored and by just rerunning the code node with cat, you retrieve everything!

And that’s a big security concern.


Information on your n8n setup

  • n8n version: 1.4.1
  • Database (default: SQLite): PostgreSQL
  • n8n EXECUTIONS_PROCESS setting (default: own, main): main
  • Running n8n via (Docker, npm, n8n cloud, desktop app): Kubernetes docker
  • Operating system:

Hi @M600, welcome to the community!

I am sorry for the confusion caused here. This environment variable will prevent the use of the $env expression which allows you to access environment variables as part of your workflow:

This is how it’d look without the environment variable:

You can still execute custom shell commands with this kind of setup and n8n will not limit the commands you can run. So you’d also want to block the Execute Command node in such a setup (which is also what we do on n8n cloud for example) using the NODES_EXCLUDE environment variable.


Hello @MutedJam

Thanks for the quick response. So indeed, I’ve misunderstood the usage of this setting and now understand that it only prevent the direct use of the env as variable $env.blabla.

So to solve my issue, I should add as env:

1 Like

Exactly, this line should do the job. n8n will then no longer offer the Execute Command node:

Trying to copy the Execute Command node from another n8n instance will also fail and the workflow cannot be executed:

Hope this helps!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.