Using Hashicorp Vault secrets with mounts

Problem/error/question

I am having a problem with using vault secrets that has mounts and slashes in their names for example something like test/egy as the mount and the secret name is db/name. How do I safely specify the secret name or the secret path.

Information on your n8n setup

  • n8n version:1.15.1
  • Database (default: SQLite):Postgres
  • Running n8n via Docker
  • ** Seflhosted in Kubernetes **

It looks like your topic is missing some important information. Could you provide the following if applicable.

  • n8n version:
  • Database (default: SQLite):
  • n8n EXECUTIONS_PROCESS setting (default: own, main):
  • Running n8n via (Docker, npm, n8n cloud, desktop app):
  • Operating system:

Hey @waok2,

Welcome to the community :cake:

I have been taking a look at a similar issue today and it looks like we don’t currently support mounts with a slash in the name. If you were to use a mount of test and have a path inside that of egy/db/name that should work.

When you configured your vault integraion did it import the secrets or did it show 0 imported?

Hi, @Jon please tell me, since I do not find the answer in the documentation, how can I access secret with mount, for example, there is such a secret:

# vault kv get -mount=/kv oz-forensics/dev/custom/n8n
================= Secret Path =================
kv/data/oz-forensics/dev/custom/n8n

======= Metadata =======
Key                Value
---                -----
created_time       2023-10-16T19:24:54.651507527Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

=========== Data ===========
Key                   Value
---                   -----
secret_string_json    {}

How can I get the value of the secret_string_json key?

I’ve tried various combinations, like:

{{ $secrets.vault.kv/data/oz-forensics/dev/custom/n8n.secret_string_json }}

But it doesn’t work.

In the connection settings window, it says that 0 secrets are available:

I think this discussion will be useful for other users and thank you in advance for your help!

Hey @Egor,

Welcome to the community :tada:

Your secret has not been imported, Is your path using sub paths or is the path kv/oz-forensics/dev/custom/n8n?

If you look at the secret in the UI of Vault does it look like this?

We do have an isue at the moment when special characters are used in the path so for now I would recommend not using them until the issue is resolved.

Hi, no, this is the default Secrets Engine kv/:

And inside it I create a secret, for example n8ntest:

What should the variable in n8n look like?

{{ $secrets.vault.kv/data/n8ntest.secret_string_json }}

or

{{ $secrets.vault.kv/n8ntest.secret_string_json }}

or

{{ $secrets.vault.n8ntest.secret_string_json }}

None of this works :frowning:

Hey @Egor,

If your secret was under kv/n8ntest and the key was secret_string assuming the secret is imported in your n8n system the value to use would be {{ $secrets.vault.kv.n8ntest.secret_string }}

In Vault

In the Credential

If you check your Vault setting in n8n does it still show 0 secrets? For my setup with just the one key above in it I have…

You would also need to make sure that the token you are using has a policy attached that gives it access to use the secret so for that you would need something like…

path "kv/*" {
  capabilities = ["list", "read"] 
}

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.