Skip to content

外部密钥#

¥External secrets

Feature availability

  • 企业自托管和企业云计划提供外部密钥。

¥External secrets are available on Enterprise Self-hosted and Enterprise Cloud plans.

  • n8n 支持 AWS Secrets Manager、Azure Key Vault、GCP Secrets Manager、Infisical 和 HashiCorp Vault。

¥n8n supports AWS Secrets Manager, Azure Key Vault, GCP Secrets Manager, Infisical and HashiCorp Vault.

¥n8n doesn't support HashiCorp Vault Secrets.

你可以使用外部密钥存储来管理 n8n 的 credentials

¥You can use an external secrets store to manage credentials for n8n.

n8n 会将所有凭据加密存储在其数据库中,并默认限制对其的访问。借助外部密钥功能,你可以将敏感凭据信息存储在外部密钥库中,并让 n8n 在需要时加载这些信息。这提供了额外的安全层,并允许你在一个中心位置管理多个 n8n 环境 使用的凭据。

¥n8n stores all credentials encrypted in its database, and restricts access to them by default. With the external secrets feature, you can store sensitive credential information in an external vault, and have n8n load it in when required. This provides an extra layer of security and allows you to manage credentials used across multiple n8n environments in one central place.

将 n8n 连接到你的密钥库#

¥Connect n8n to your secrets store

Secret names

你的密钥名称不能包含空格、连字符或其他特殊字符。n8n 支持包含字母数字字符(a-zA-Z0-9)以及下划线的密钥名称。n8n 目前仅支持纯文本密钥,不支持 JSON 对象或键值对。

¥Your secret names can't contain spaces, hyphens, or other special characters. n8n supports secret names containing alphanumeric characters (a-z, A-Z, and 0-9), and underscores. n8n currently only supports plaintext values for secrets, not JSON objects or key-value pairs.

  1. 在 n8n 中,转到“设置”>“外部密钥”。

¥In n8n, go to Settings > External Secrets. 2. 为你的存储提供商选择“设置”。

¥Select Set Up for your store provider. 3. 输入你的提供商凭据:

¥Enter the credentials for your provider:

  • Azure Key Vault:提供你的保险库名称、租户 ID、客户端 ID 和客户端密钥。请参阅 Azure 文档,了解有关 注册 Microsoft Entra ID 应用并创建服务主体 的更多信息。n8n 仅支持单行密钥值。

    ¥Azure Key Vault: Provide your vault name, tenant ID, client ID, and client secret. Refer to the Azure documentation to register a Microsoft Entra ID app and create a service principal. n8n supports only single-line values for secrets.

  • AWS Secrets Manager:提供你的访问密钥 ID、秘密访问密钥和区域。IAM 用户必须拥有 secretsmanager:ListSecretssecretsmanager:BatchGetSecretValuesecretsmanager:GetSecretValue 权限。

    ¥AWS Secrets Manager: provide your access key ID, secret access key, and region. The IAM user must have the secretsmanager:ListSecrets, secretsmanager:BatchGetSecretValue, and secretsmanager:GetSecretValue permissions.

    要授予 n8n 对 AWS Secrets Manager 中所有密钥的访问权限,你可以将以下策略附加到 IAM 用户:

    ¥To give n8n access to all secrets in your AWS Secrets Manager, you can attach the following policy to the IAM user:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AccessAllSecrets",
			"Effect": "Allow",
			"Action": [
				"secretsmanager:ListSecrets",
				"secretsmanager:BatchGetSecretValue",
				"secretsmanager:GetResourcePolicy",
				"secretsmanager:GetSecretValue",
				"secretsmanager:DescribeSecret",
				"secretsmanager:ListSecretVersionIds",
			],
			"Resource": "*"
		}
	]
}

    你还可以设置更严格的权限,并授予 n8n 访问特定 AWS Secret Manager 密钥的权限。你仍然需要允许 secretsmanager:ListSecretssecretsmanager:BatchGetSecretValue 权限访问所有资源。这些权限允许 n8n 检索 ARN 范围的密钥,但不允许访问密钥值。

    ¥You can also be more restrictive and give n8n access to select specific AWS Secret Manager secrets. You still need to allow the secretsmanager:ListSecrets and secretsmanager:BatchGetSecretValue permissions to access all resources. These permissions allow n8n to retrieve ARN-scoped secrets, but don't provide access to the secret values.

    接下来,你需要将 secretsmanager:GetSecretValue 权限的范围设置为你希望与 n8n 共享的密钥的特定 Amazon 资源名称 (ARN)。请确保在每个资源 ARN 中使用正确的区域和账户 ID。你可以在 AWS 控制面板中找到密钥的 ARN 详细信息。

    ¥Next, you need set the scope for the secretsmanager:GetSecretValue permission to the specific Amazon Resource Names (ARNs) for the secrets you wish to share with n8n. Ensure you use the correct region and account ID in each resource ARNs. You can find the ARN details in the AWS dashboard for your secrets.

    例如,以下 IAM 策略仅允许访问你指定的 AWS 账户和区域中名称以 n8n 开头的密钥:

    ¥For example, the following IAM policy only allows access to secrets with a name starting with n8n in your specified AWS account and region:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "ListingSecrets",
			"Effect": "Allow",
			"Action": [
				"secretsmanager:ListSecrets",
				"secretsmanager:BatchGetSecretValue"
			],
			"Resource": "*"
		},
		{
			"Sid": "RetrievingSecrets",
			"Effect": "Allow",
			"Action": [
				"secretsmanager:GetSecretValue",
				"secretsmanager:DescribeSecret"
			],
			"Resource": [
				"arn:aws:secretsmanager:us-west-2:123456789000:secret:n8n*"
			]
		}
	]
}

    有关更多 IAM 权限策略示例,请参阅 AWS 文档

    ¥For more IAM permission policy examples, consult the AWS documentation.

  • HashiCorp Vault:提供你的 Vault 实例的 Vault URL,并选择你的身份验证方法。输入你的身份验证信息。可选择提供命名空间。

    ¥HashiCorp Vault: provide the Vault URL for your vault instance, and select your Authentication Method. Enter your authentication details. Optionally provide a namespace.

    ¥Refer to the HashiCorp documentation for your authentication method: Token auth method\ AppRole auth method\ Userpass auth method

    • 如果你使用 Vault 命名空间,则可以输入 n8n 应连接的命名空间。请参阅 Vault Enterprise 命名空间,了解有关 HashiCorp Vault 命名空间的更多信息。

    ¥If you use vault namespaces, you can enter the namespace n8n should connect to. Refer to Vault Enterprise namespaces for more information on HashiCorp Vault namespaces.

  • Infisical:提供服务令牌。有关获取令牌的信息,请参阅 Infisical 的 服务令牌 文档。如果你自行托管 Infisical,请输入站点 URL。

    ¥Infisical: provide a Service Token. Refer to Infisical's Service token documentation for information on getting your token. If you self-host Infisical, enter the Site URL.

Infisical environment

1
2
	Make sure you select the correct Infisical environment when creating your token. n8n will load secrets from this environment, and won't have access to secrets in other Infisical environments. n8n only support service tokens that have access to a single environment.

Infisical folders

1
2
 	n8n doesn't support [Infisical folders](https://infisical.com/docs/documentation/platform/folder).
	

1
* Google Cloud Platform: provide a **Service Account Key** (JSON) for a service account that has at least these roles: `Secret Manager Secret Accessor` and `Secret Manager Secret Viewer`. Refer to Google's [service account documentation](https://cloud.google.com/iam/docs/service-account-overview) for more information.
  1. 保存配置。

¥Save your configuration. 2. 使用“禁用/启用”开关启用提供程序。

¥Enable the provider using the Disabled / Enabled toggle.

在 n8n 凭据中使用密钥#

¥Use secrets in n8n credentials

要在 n8n 凭据中使用来自你存储的密钥:

¥To use a secret from your store in an n8n credential:

  1. 创建新的凭据,或打开现有凭据

¥Create a new credential, or open an existing one. 2. 在要使用密钥的字段中:

¥On the field where you want to use a secret: 1. 鼠标悬停在字段上。

1
  ¥Hover over the field.

  1. 选择“表达式”。

    ¥Select Expression. 3. 在需要使用密钥的字段中,输入引用密钥名称的 expression

¥In the field where you want to use a secret, enter an expression referencing the secret name: {{ $secrets.. }} <vault-name> 可以是 vault(适用于 HashiCorp)、infisicalawsSecretsManager。将 <secret-name> 替换为它在你的存储库中显示的名称。

¥<vault-name> is either vault (for HashiCorp) or infisical or awsSecretsManager. Replace <secret-name> with the name as it appears in your vault.

在 n8n 环境中使用外部密钥#

¥Using external secrets with n8n environments

n8n 的 源代码控制和环境 功能允许你创建不同的 n8n 环境,并由 Git 提供支持。此功能不支持在不同的实例中使用不同的凭据。你可以使用外部密钥库,通过将每个 n8n 实例连接到不同的密钥库或项目环境,为不同的环境提供不同的凭据。

¥n8n's Source control and environments feature allows you to create different n8n environments, backed by Git. The feature doesn't support using different credentials in different instances. You can use an external secrets vault to provide different credentials for different environments by connecting each n8n instance to a different vault or project environment.

例如,你有两个 n8n 实例,一个用于开发,一个用于生产。你使用 Infisical 作为你的数据存储库。在 Infisical 中,创建一个包含两个环境(开发和生产)的项目。为每个 Infisical 环境生成令牌使用开发环境的令牌连接你的开发 n8n 实例,使用生产环境的令牌连接你的生产 n8n 实例。

¥For example, you have two n8n instances, one for development and one for production. You use Infisical for your vault. In Infisical, create a project with two environments, development and production. Generate a token for each Infisical environment. Use the token for the development environment to connect your development n8n instance, and the token for your production environment to connect your production n8n instance.

在项目中使用外部密钥#

¥Using external secrets in projects

要在 基于角色的访问控制 (RBAC) 项目 中使用外部密钥,你必须拥有一个 实例所有者或实例管理员 作为项目成员。

¥To use external secrets in an RBAC project, you must have an instance owner or instance admin as a member of the project.

故障排除#

¥Troubleshooting

Infisical 版本变更#

¥Infisical version changes

Infisical 版本升级可能会导致连接到 n8n 时出现问题。如果你的 Infisical 连接停止工作,请检查最近是否有版本更改。如果出现这种情况,请将问题报告给 help@n8n.io

¥Infisical version upgrades can introduce problems connecting to n8n. If your Infisical connection stops working, check if there was a recent version change. If so, report the issue to help@n8n.io.

仅对实例所有者或管理员拥有的凭据设置外部密钥#

¥Only set external secrets on credentials owned by an instance owner or admin

由于实例所有者和管理员拥有的权限,所有者和管理员可以使用密钥表达式更新其他用户拥有的凭据。对于实例所有者或管理员来说,这在预览中似乎可以正常工作,但在生产环境中运行工作流时,密钥将无法解析。

¥Due to the permissions that instance owners and admins have, it's possible for owners and admins to update credentials owned by another user with a secrets expression. This will appear to work in preview for an instance owner or admin, but the secret won't resolve when the workflow runs in production.

仅对实例管理员或所有者拥有的凭据使用外部密钥。此功能确保它们在生产环境中正确解析。

¥Only use external secrets for credentials that are owned by an instance admin or owner. This ensures they resolve correctly in production.