Add support for Azure Workload Identities

The idea is:

Please add support “Azure Workload Identities” as a built-in credential.

My use case:

We are currently evaluating whether we can use n8n to replace Azure Logic Apps. We would be serving n8n on an Azure Kubernetes (AKS) cluster. We use AKS extensively to serve various apps and workloads, many of which need to have Azure Active Directory identities (and said identities are then given various permissions). We achieve this in a completely credential-free manner by making use of Azure Workload Identities (Introduction - Azure AD Workload Identity). The premise of this is as follows:

  • The Kubernetes cluster becomes an OIDC provider
  • A service account within a specific namespace within that cluster becomes an “identity” on that OIDC provider.
  • An Azure Active Directory (AAD) identity gets set up. Authentication for this identity is federated to the above service account.
  • When a pod on Kubernetes is started up with this service account, a token identifying the service account is mounted onto the pod at the location AZURE_FEDERATED_TOKEN_FILE.
  • The contents of this file can be used to achieve the federated login. I.e., by calling the AAD endpoint we can exchange this token (which only identifies the federated identity) for a token that identifies the actual AAD identity. (There are well-established SDKs from Microsoft that do this exchange. See links below)

Now, let’s say we have authorized this AAD identity to access an HTTP endpoint. That means the HTTP endpoint expects a bearer token for this AAD identity whenever it receives a REST request.

What we would like is a way to attach a credential type that would execute the necessary calls to exchange the tokens and attach that to the authorization header. (The exact same thing would be very beneficial when interacting directly with any Azure resources, such as storage accounts, functions etc.)

I think it would be beneficial to add this because:

It would allow (credential-free!) Azure Active Directory authentication within n8n tasks

Any resources to support this?

Azure Identity SDK (js): azure-sdk-for-js/sdk/identity/identity at main · Azure/azure-sdk-for-js · GitHub
Azure Identity SDK (.NET): azure-sdk-for-net/sdk/identity/Azure.Identity at main · Azure/azure-sdk-for-net · GitHub

We typically just use the “DefaultAzureCredential” call without any additional configuration. It is clever enough to find the Workload Identity and exchange it for a token.

Are you willing to work on this?

Yes I am willing to help

Hi @karl.schriek,

I’m interested in contributing to this feature since I was also looking into running and using n8n in Azure context.
Since Azure AD Workload Identity is using Mutating Admission Webhook, I’m wondering whether it is possible to assign more than one Azure Workload Identity to AKS pod?
I understood documentation from above link in a way that one AKS pod is getting one service_account mapped into its’ context. This service_account can then be mapped to one/many AAD objects.

What’s your plan of using Azure Workload Identities with n8n? Did you plan using multiple service_accounts within one n8n instance (in my understanding this is not possible but I might be wrong here)? Are having single/multi-instance n8n deployment (then we could actually assign different service_accounts to different n8n pods)?