I am looking for a method to use the RabbitMQ secret engine in Hashicopr Vault to allow password rotation.
The RabbitMQ secrecy engine is functional, and vault allows me to create users/passwords on the fly, for a limited time. The leases expire after a certain time.
When a lease is generated and active, everything works in n8n. The credentials are valid.
However, there is no mechanism in the RabbitMQ trigger to create a new user when the lease expires. Therefore the workflow has no valid credentials to continue the execution.
Also, I’m thinking of going through the environment variables. The principle would be to query vault through the api in order to retrieve the credentials (HTTP Request node), and store them in environment variables then configure the trigger with these variables.
Is it possible for a workflow to write environment variables? Could you point me in the right direction?
One thing you could do is to use the n8n API (or the n8n node, which uses the n8n API) to update the credentials and then disable and reactivate the workflow again.
Unfortunately, there is a problem with this method.
I do a key rotation every hour for rabbitmq.
I call Vault, log in, get a token, create a user and password in rabbitmq using Vault’s mechanisms, and get the credentials.
So far, so good. I format the JSON to call the N8N API (POST /crendentials). Problem, it creates a new credential instead of updating the existing one.
Would it be possible to implement an update method in the API? Or maybe I’m doing it wrong?
This makes it unfortunately complex.
1°) The creation of the new credentials will create id increments in the database. If you make new credentials several times a day, or even if you multiply the services, it will quickly become a problem in the database. (my credentials for rabbitmq change every hours and I use AMQP et MQTT so every hour there is 2 credentials, because I use diffrents credentials for each topic/exchange)
More some credentials can have à short TTL (in seconds).
2°) This requires a rather complex pipeline (I did it and tested it), but it is very heavy
3°) During the tests, it appears that the workflow enable fails. You have to go manually in the workflow with the new credentials, to refresh the workflow, so that the credentials are updated.
With the growing interest in security, key or password rotation mechanisms are becoming more and more important.
So I opened a suggestion in the forum to have an update of the API.