Please add support “Azure Workload Identities” as a built-in credential.
We are currently evaluating whether we can use n8n to replace Azure Logic Apps. We would be serving n8n on an Azure Kubernetes (AKS) cluster. We use AKS extensively to serve various apps and workloads, many of which need to have Azure Active Directory identities (and said identities are then given various permissions). We achieve this in a completely credential-free manner by making use of Azure Workload Identities (Introduction - Azure AD Workload Identity). The premise of this is as follows:
- The Kubernetes cluster becomes an OIDC provider
- A service account within a specific namespace within that cluster becomes an “identity” on that OIDC provider.
- An Azure Active Directory (AAD) identity gets set up. Authentication for this identity is federated to the above service account.
- When a pod on Kubernetes is started up with this service account, a token identifying the service account is mounted onto the pod at the location AZURE_FEDERATED_TOKEN_FILE.
- The contents of this file can be used to achieve the federated login. I.e., by calling the AAD endpoint we can exchange this token (which only identifies the federated identity) for a token that identifies the actual AAD identity. (There are well-established SDKs from Microsoft that do this exchange. See links below)
Now, let’s say we have authorized this AAD identity to access an HTTP endpoint. That means the HTTP endpoint expects a bearer token for this AAD identity whenever it receives a REST request.
What we would like is a way to attach a credential type that would execute the necessary calls to exchange the tokens and attach that to the authorization header. (The exact same thing would be very beneficial when interacting directly with any Azure resources, such as storage accounts, functions etc.)
It would allow (credential-free!) Azure Active Directory authentication within n8n tasks
Azure Identity SDK (js): azure-sdk-for-js/sdk/identity/identity at main · Azure/azure-sdk-for-js · GitHub
Azure Identity SDK (.NET): azure-sdk-for-net/sdk/identity/Azure.Identity at main · Azure/azure-sdk-for-net · GitHub
We typically just use the “DefaultAzureCredential” call without any additional configuration. It is clever enough to find the Workload Identity and exchange it for a token.
Yes I am willing to help