Skip to main content

Context

 

n8n provides a flexible AI workflow automation solution that can interface with various LLMs.  within an automation workflow, we may need to have access to credentials to obtain data from an application or web service.  While n8n can store credentials in its own data store, it may be required to manage the credentials with PAM or Privileged Access Management.   This article provide step-by-step instructions on how to allow a n8n AI automation workflow to check-out credentials at runtime from Password Safe.

 

Simple n8n workflow that uses Password Safe as a credential provider

 

Let’s assume that we need to access a report from a web application that requires credentials for Basic authentication.

 

Accessing the test app without authentication

 

Accessing the test App with credentials returns the report.

 

We need to create an API enabled Managed Account with the password for the test App.

 

We need to create an Application User and assign an API Access Policy.  Save the Client ID and Client Secret values.

 

The API Registration must include the IP Address used by n8n.

 

Note:  You can access User Audits under Configuration/General to see a blocked requests from n8n and the source IP, that you can add to the API Registration, to allow n8n.

 

Note:  The Application User needs to be added to a Group with Smart Group permissions and the Requestor Password Safe role, to allow the Managed Account to be available to n8n.

 

Configuring n8n workflow

 

Note:  The example workflow export is attached to this post.

 

This is our test workflow.  The Submit to LLM step is incomplete and just to illustrate potential next steps.

 

The SignAppIn node is used to obtain a session cookie for the subsequent nodes.

 

The SignAppIn node requires a saved OAuth2 credential for the Client ID and Client Secret created in Password Safe.  This is the only credential that must be stored in n8n.

 

Note:  The Url for the SignAppIn node is https://myInstance/BeyondTrust/api/public/v3/Auth/SignAppin

and the Access Token Url is:  https://myInstance/beyondtrust/api/public/v3/auth/connect/token

 

The GET ManagedAccount node includes Query Parameters for AccountName and SystemName.  The Url is https://myInstance/BeyondTrust/api/public/v3/ManagedAccounts

 

For GET ManagedAccount and subsequent Password Safe nodes, we need to add the session cookie obtained from SignAppIn.  We can drag and drop the set-cookieÂ0] output in a Header Parameter called Cookie.

 

The Create Release Request node Url is :  https://myInstance/BeyondTrust/api/public/v3/Requests

 

We need to build the JSON body for the Create Release Request.

 

We also need to output the response of Create Release Request so it can be used by the next node.

 

The GET Credentials node Url is:  https://myInstance/BeyondTrust/api/public/v3/Credentials/ {{ $json.data }} 

 

At this point, we have the credentials output from GET Credentials and we are ready to invoke our test App.

 

GET Report for our test App.

 

This is the value for the http header Authorization:

Basic {{ ("user01234:" + $json.credentials).base64Encode() }}

 

 

Reply


Badge Earners

  • 5 Courses Completed - Password Safe
    IK-BOKhas earned the badge 5 Courses Completed - Password Safe
  • 5 Courses Completed - Privilege Remote Access
    E Matthisshas earned the badge 5 Courses Completed - Privilege Remote Access
  • BCA: Password Safe
    N Cornejohas earned the badge BCA: Password Safe
  • 1 Courses Completed - Privilege Remote Access
    M.Galanghas earned the badge 1 Courses Completed - Privilege Remote Access
  • 1 Courses Completed - Remote Support
    Straffe Lyckehas earned the badge 1 Courses Completed - Remote Support
Show all badges
Terms & ConditionsCookie settings