Troubleshooting
Problem
When you attempt to view a workspace in Terraform Enterprise versions 1.1.x, the UI displays the following error message:
Vault, a service used to store secrets in Terraform Enterprise, has encountered an error retrieving a secret. This can mean the Vault is sealed and needs to be unsealed to resume operations.
The atlas container logs show a more specific error message from the internal Vault service:
An error occurred when trying to communicate with Vault: The Vault server at `http://127.0.0.1:8200' responded with a 500.
Any additional information the server supplied is shown below:
* JSON string value exceeds allowed lengthThis error prevents you from accessing the workspace's state, variables, and other settings through the UI.
Prerequisites
- Terraform Enterprise version 1.1.x.
- A workspace with a state file containing at least one output value that is 1MB or larger.
Cause
The root cause of this issue is a security enhancement in the version of Vault bundled with Terraform Enterprise 1.1.x. which introduced a default limit of 1MB for the maximum length of a JSON string value Vault will decode.
The 1.1.x versions of Terraform Enterprise do not explicitly override this setting, so inherit the default 1MB limit. When TFE attempts to read a state file with an output value exceeding this size, the internal Vault service rejects the request with a 500 error, leading to the failure in the UI.
Resolving The Problem
There are four primary methods to resolve this issue:
- Upgrade Terraform Enterprise: The recommended long-term solution.
- Modify Terraform Configuration: Remove the large output from your code and re-apply.
- Manually Edit the State File: Pull the state, remove the output, and push it back.
- Build a Custom TFE Image: A temporary workaround to increase the Vault limit if an immediate upgrade is not possible.
Solution 1: Upgrade Terraform Enterprise (Recommended)
The most effective and sustainable solution is to upgrade your Terraform Enterprise instance to version 1.2.0 or later (Release Documentation).
Follow the official Terraform Enterprise upgrade documentation to plan and execute the upgrade for your specific installation.
Solution 2: Modify Terraform Configuration
If you can modify the Terraform code for the affected workspace, you can resolve the issue by removing the large state output.
- In your Terraform root module, identify and remove the
outputblock that generates the value larger than 1MB. - Create a new run in the workspace to apply the configuration changes. This will update the state file and remove the oversized output.
- Verification: After the apply successfully completes, navigate to the workspace in the TFE UI. The page should now load without any errors.
Solution 3: Manually Edit the State File
You can also directly manipulate the state file to remove the problematic output. Use caution with this method, as incorrect modifications can corrupt your state file.
- Configure your local environment with credentials for the affected TFE workspace.
Use the Terraform CLI to pull the current state file.
$ terraform state pull > current.tfstate- Open the
current.tfstatefile in a text editor. Locate the"outputs"section and delete the entry corresponding to the large output value. - Increase the
serialvalue +1. Push the modified state file back to the Terraform Enterprise workspace.
$ terraform state push current.tfstate- Verification: Refresh the workspace page in the TFE UI. The error should be resolved, and the page should load correctly.
Solution 4: Build a Custom TFE Image (Workaround)
If you cannot upgrade immediately or modify the state, you can build a custom TFE image with configuration fixes. This should be considered a temporary workaround.
Create a file named
Dockerfilewith the following content. Adjust theFROMinstruction to match your current TFE version.FROM images.releases.hashicorp.com/hashicorp/terraform-enterprise:1.1.3 # adjust to version in use # Increase Vault JSON string limit to handle large state outputs RUN sed -i '/listener "tcp" {/a \ max_json_string_value_length = 33554432' /etc/vault/config.hcl.tmpl
This RUN command increases the JSON limit to 32MB (33554432 bytes).
For Active-Active (multi-node) TFE, due to a related Vault issue, in order for the above configuration change to properly apply, the Vault version also needs to be upgraded in the image. To do this, the following needs to be added to the Dockerfile:
USER root
RUN curl -L -o /tmp/vault.zip "https://releases.hashicorp.com/vault/1.21.4/vault_1.21.4_linux_amd64.zip" && \
unzip -o /tmp/vault.zip vault -d /usr/local/bin && \
rm /tmp/vault.zip && \
cp /usr/local/bin/vault /usr/local/bin/vault-ipc-lock && \
setcap cap_ipc_lock=+ep /usr/local/bin/vault-ipc-lock
USER terraform-enterprise
Build the custom Docker image.
$ docker build -t tfe-custom:1.1.3 .- Update your Terraform Enterprise installation to use this new custom image (
tfe-custom:1.1.3). The steps to do this will vary based on your deployment method (e.g. Docker, Kubernetes).
Outcome
After applying one of the solutions, you will be able to access the affected workspace in the Terraform Enterprise UI without encountering the Vault error. The workspace will be fully functional, allowing you to view state, manage variables, and queue runs.
Additional Information
- For more details on the underlying Vault security change, refer to the official HashiCorp security bulletin: HCSEC-2025-24 - Vault Denial of Service though Complex JSON Payloads.
- Terraform Enterprise 1.2.x Release Notes
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
30 March 2026
UID
ibm17267269