Hi,
I need help with credential management to roll out n8n automations to others in my company.
Current Setup
I have created a team of AI agents in n8n. The main agent is integrated to an app in google chat so that user can directly interact with the main agent via google chat within google workspace. From google chat, I get the user’s email ID via webhook. The main agent calls other AI agents when needed, and these agents are also integrated with gmail, google calendar and google docs to be able to read and write information there.
However the whole is setup is currently working with my credentials - my oAuth 2 for gmail, calendar etc, and my Google Service account (which is not workspace admin in google) for google chat integration.
Since it’s a POC right now, I am on starter plan. I can upgrade to Pro immediately if that solves the problem statement. Enterprise might take a few days as I am yet to hear back from n8n sales team on pricing.
Problem Statement
I want to onboard 10-15 people in my company to try out the bot before we go for full scale roll out. How do I manage google credentials for this, so that when they invoke the main bot via google chat the AI agents in n8n know and use the respective users’ google credentials. I want to make sure that all downstream nodes / tools / agents / sub-agents use that respective user’s account to connect with their respective google drive / calendar etc.
With the research I did, one potential way is to ask all the users to go to google cloud console one by one, enable the respective API’s, generate oAuth credentials, login to n8n, connect their accounts and email to me so that I can save credentials id’s against their email ID’s in a db to be used during runtime. Also the nodes for google calendar / gmail etc. don’t have ability to pick the right credentials based on user id or an expression, so I need to switch to generic http request nodes for everything and stop using built-in nodes for google calendar etc. So this solution is complex to implement, and even more complex from roll out / user adoption perspective.
I would try something like this from a code requesting authentication for the flow, because you’re authenticated from the credential.
Or the craziest thing I would try is cloning the flow and leaving it authenticated because it will ask you to access it from the console. You’ll also have to evaluate this.
So, once connected to workgroup admin workspace, u can public ure google consent screen auth up to 100 users, so the client id and secret can stay the same, but each user would need to make new credentials by signing in, either multiple users in 1 workflow, or multiple workflows for each user. This is what I do for multiple account I use separate workflows and just duplate for each account or I add multiple users into one workflow, and then filter based on who the chat was received from.
This is how mine setup atm,
Ie, use if node user name match, use that flow which is set up for that user
So, just create new credentials for each user, it will ask for details to populate the login button, and then they just sign in and you should be all okay.
Hope that helps
Hi,
@King_Samuel_David thanks for your help.
Since I have ~350 users (all within the same company and same google workspace domain), do I manually create separate workflows for each of 350 users ? And when someone joins / leaves the organization, I have to manually update the workflows ?
Hello @Sanchit_Sood,
Have you tried authenticating using a service account?
- If you authenticate and send messages as a service account, it will treat it as a bot, not as your personal account.
- Users in the space can then interact with it using mentions or slash commands.
I haven’t dived deep into this yet, but I did create a video a few days ago explaining how to use the Google Chat API node with a service account…please have a look!
Hopefully, it will help guide you in the right direction.
Hi @Sudhanshu_Sharma
I am already using google service account. The important aspect is not how google treats the authentication, but how n8n identifies and uses the right credentials for emails and calendar (not for chat) when invoking those nodes, and how to do it at a scale of a few hundred users.
Hey @Sanchit_Sood ,
Totally understood what you need , yes that is definitely possible to build and is scalable.
But the point is that it is kind of difficult to achieve this in n8n (because of dynamic credentials handling).
So I tried creating the sample scenario of the exact same thing you shared earlier:-
- Now will create a space
- Add the bot to that space
- All the memer in that space if they want to chat with the bot, they can mention that…(see the screenshot)
- But for the very first message the user will prompt to authorize/configure the bot (That’s how the bot will work according to user)
This is how it is asking for authorization
But But But…this is not using n8n…It’s using Appscript…
Hope this gives you some insight to move ahead…
If you’ll go ahead with Appscript, I would say it will handle all the authentication part automatically and is actually much easier…
All you’ll need to do is to write the code for AI Agent.
That’s the only Solution I think of now.
(If am I am not able to clear things to you…no problem you can send me the DM here…would love to share details via google meet)
