Back to Nodes

HashiCorp Vault

Last updated Apr 20, 2026

Secure N8N node for HashiCorp Vault integration with AppRole authentication - Hardened version

73 Weekly Downloads
343 Monthly Downloads

Included Nodes

HashiCorp Vault

Description

N8N HashiCorp Vault Node

!npm version
!npm downloads
!license
!GitHub last commit

!n8n.io – Workflow Automation

This is a security-hardened version of the N8N HashiCorp Vault integration node. Created after discovering security vulnerabilities in the original n8n-nodes-hashicorp-vault package.

โš ๏ธ Security Notice

This package was created as a secure alternative after identifying:

  • Critical vulnerabilities in dependencies (form-data CVE)
  • Missing source repository for original package
  • Potential supply chain attack indicators
  • ๐Ÿš€ Features

  • AppRole Authentication: Secure authentication using HashiCorp Vault’s AppRole method
  • Token Authentication: Direct token-based authentication
  • KV v1 & v2 Support: Works with both Key-Value secret engines
  • Namespace Support: Enterprise Vault namespace functionality
  • SSL Configuration: Flexible SSL certificate validation options
  • Optional Output Masking: Regex-based masking of sensitive keys in node outputs
  • Security Hardened: Updated dependencies to resolve CVE vulnerabilities
  • โ˜• Support

    If you like this project, consider buying me a coffee โ˜•๐Ÿ’›

    Buy Me A Coffee

    ๐Ÿ“ฆ Installation

    Install from local package (recommended)

    npm install file:./path/to/this/package

    Or from npm

    npm install n8n-nodes-hashi-vault

    ๐Ÿ”ง Configuration

    Credentials Setup

    1. Vault URL: Your Vault instance URL (e.g., https://vault.example.com:8200)
    2. Authentication Method: Choose between AppRole or Token
    3. AppRole Configuration (if selected):
    Role ID: Your AppRole Role ID
    Secret ID: Your AppRole Secret ID
    4. Token Configuration (if selected):
    Token: Your Vault token
    5. Optional Settings:
    Namespace: Vault namespace (Enterprise feature)
    API Version: KV engine version (v1 or v2)
    Ignore SSL Issues: Skip SSL certificate validation
    Mask Secret Values: Mask sensitive output values in node responses
    Mask Keys (Regex): Regex used to decide which keys to mask

    โš™๏ธ Vault Configuration Examples

    Token Authentication

    Best for: Development, testing, or when you need simple setup.
    Advantages: Quick setup, no additional Vault configuration needed.

    Create a token with KV access policy

    vault policy write n8n-kv-policy - <

    Generate token (expires in 24h)

    vault token create -policy=n8n-kv-policy -ttl=24h

    AppRole Authentication

    Best for: Production, automated workflows, enhanced security.
    Advantages: Token rotation, audit trails, granular permissions, no long-lived tokens in N8N.

    Enable AppRole auth method

    vault auth enable approle

    Create policy

    vault policy write n8n-kv-policy - <

    Create AppRole

    vault write auth/approle/role/n8n-role token_policies="n8n-kv-policy" token_ttl=1h tokenmaxttl=4h

    Get Role ID and Secret ID for N8N configuration

    vault read auth/approle/role/n8n-role/role-id vault write -f auth/approle/role/n8n-role/secret-id

    Node Operations

    #### Read Secret

    {
      "secretEngine": "secret",
      "secretPath": "myapp/database",
      "version": 0,
      "additionalFields": {
        "maskSecrets": true,
        "maskRegex": "(?i)(password|token|api.?key)$"
      }
    }
    

    #### Write Secret

    {
      "secretEngine": "secret",
      "secretPath": "myapp/database",
      "secretData": "{"username": "myuser", "password": "mypassword"}"
    }
    

    #### Delete Secret

    {
      "secretEngine": "secret",
      "secretPath": "myapp/database"
    }
    

    #### List Secrets

    {
      "secretEngine": "secret",
      "listPath": "myapp/"
    }
    

    ๐Ÿ”’ Security Changes Made

    Dependency Updates

  • โœ… axios: Updated to ^1.7.9 (fixes form-data CVE)
  • โœ… form-data: Resolved critical vulnerability (CWE-330)
  • โœ… Development dependencies: Updated to latest secure versions
  • Code Integrity

  • โœ… Source verification: Full code review completed
  • โœ… No external endpoints: Confirmed communication only with configured Vault
  • โœ… TypeScript conversion: Improved type safety
  • โœ… Clean package: No suspicious dependencies or scripts
  • ๐Ÿงช Testing

    Install dependencies

    npm install

    Build the project

    npm run build

    Run tests

    npm test

    Security audit

    npm audit

    ๐Ÿ“‹ Development

    Development mode

    npm run dev

    Format code

    npm run format

    Lint code

    npm run lint

    ๐Ÿšจ Security Audit Results

    npm audit
    

    Expected: 0 vulnerabilities found

    ๐Ÿค Contributing

    This is a security-focused fork. When contributing:

    1. Security first: All changes must maintain or improve security posture
    2. Dependency management: Keep dependencies minimal and up-to-date
    3. Code review: All changes require security review
    4. Testing: Include security tests for new features

    ๐Ÿ“‹ TODO – Performance Optimizations

    ๐Ÿš€ Token Management

  • [ ] Token Caching: Implement AppRole token caching with TTL to reduce authentication requests
  • [ ] Token Renewal: Add automatic token renewal before expiration
  • [ ] Connection Pooling: Reuse HTTP connections to Vault
  • ๐Ÿ—„๏ธ Secret Caching

  • [ ] Secure Secret Caching: Implement encrypted in-memory or Redis-based secret caching
  • [ ] TTL Management: Configurable TTL for cached secrets with automatic expiration
  • [ ] Cache Invalidation: Manual and automatic cache clearing mechanisms
  • [ ] Memory Security: Implement secure memory handling and cleanup for cached secrets
  • โšก Performance Monitoring

  • [ ] Metrics Collection: Track response times, cache hit ratios, and authentication frequency
  • [ ] Memory Usage: Monitor cache memory consumption and implement LRU eviction
  • ๐Ÿ“œ License

    MIT License – See LICENSE file for details

    ๐Ÿ›ก๏ธ Security

  • Report vulnerabilities: Create an issue with [SECURITY] prefix
  • Response time: Security issues will be addressed within 24 hours
  • Disclosure: Coordinated disclosure preferred
  • ๐Ÿ™ Acknowledgments

  • Original concept from the n8n-nodes-hashicorp-vault package
  • Security improvements by @luisra51
  • N8N community for the excellent automation platform

โš ๏ธ Always verify package integrity and run security audits before deployment in production environments.