# n8n Service Accounts | Jason Mcfeetors ## Метаданные - **Канал:** n8n - **YouTube:** https://www.youtube.com/watch?v=LlZvtNtpZoI - **Дата:** 14.04.2022 - **Длительность:** 9:50 - **Просмотры:** 884 ## Описание Jason shows you how to create automation while still keeping your SecOps team sane! ---------------------------------------------------------------- About n8n n8n is the leading low-code automation tool, and with over 250 integrations, n8n enables you to connect anything to everything. With n8n you can move beyond simple integrations to build multi-step workflows that combine both 3rd party APIs and your own internal tools to create easy-to-use automations. Thanks to its fair-code distribution model, n8n will always have visible source code, be available to self-host, is completely free for personal or internal use and allows you to add your own custom functions, logic, and apps. Download: https://n8n.io/#get-started Deploy: https://docs.n8n.io/getting-started/i... n8n Cloud: https://n8n.io/cloud ## Содержание ### [0:00](https://www.youtube.com/watch?v=LlZvtNtpZoI) Intro you might have interacted with our next speakers it might be on the community forum on discord or on twitter so jason today has uh probably used an attend for almost everything i can say and uh today is gonna talk about how you can create automation and still keep your psycho teams shame so take it over jason all right and i'll even share my camera because wouldn't be uh ending in session if i didn't have my hawaiian shirt on so i'm just gonna share my screen if i can find the right one uh there we are ### [0:46](https://www.youtube.com/watch?v=LlZvtNtpZoI&t=46s) Overview all right i'm assuming everybody can see my screen yep uh so um today gonna be a little bit of a different presentation than what i typically do usually i come on here and show you some crazy thing i've done in naden uh but we're going to focus a little bit more because we're talking about security today focus a little bit more on how you set up and configure your nadn workflows in order to make sure that you don't break security policies uh can keep your secops teams sane by making their lives easier and we're gonna do that by using um using the uh using service accounts within indiana so i guess right off the bat you know ### [1:33](https://www.youtube.com/watch?v=LlZvtNtpZoI&t=93s) What are Service Accounts what is a service account um we don't necessarily hear about service accounts uh all the time uh quite often that's a new concept to people so i figured we'd we'll spend a couple of minutes just kind of talking a little bit more about what the service account is so service accounts are actually a uh their special account for non-interactive processes which guess what that's what intent is what you do is you set up these accounts so that when you are doing different work and so on this is the account that's being used it's actually a commonly seen on most server-based operating systems so windows linux mac all these different systems have these service accounts built into them and so if you've ever run an apache server you might run across the www. data service account so that's the account that's being used for um running all the apache servers and everything in behind the scenes ### [2:34](https://www.youtube.com/watch?v=LlZvtNtpZoI&t=154s) Credentials so right now let's talk about how most no code low code systems work with credentials uh so typically what you'll do is you'll go in and um you'll use your unique credentials to access the platform so you'll blog in with your account but then once you get into the platform um they ask you to do something which has always kind of thrown up a red flag for me to ask you to give your personal credentials to access all the other systems so if you want to access your mail account your google drive what have you it always asks you for your personal account and that's always kind of made me nervous i tend to be a nervous person when it comes to stuff like that um and uh often that's in the form of like a third party um uh authorization so you're handing over your the keys to your google account or your facebook account for example and uh so when i look at that i'm going hmm you know do i really trust this platform and so i thought myself well there's got to be a better way to do this ### [3:43](https://www.youtube.com/watch?v=LlZvtNtpZoI&t=223s) Problems and um because really when you take a look at how we do it now you know there's really no differentiation between the user and the automation and because there's no differentiation all kinds of problems come up so first of all you've got no independent control of your automation your automation is always doing things as the user and so there's really no way to control it independently um second you kind of relinquish your control to the automation itself so that you know if the automation wants to do something as me i really can't stop it unless i have to go in and start working with the automation itself it's also pretty much impossible to audit the automation you know if um the automation looks like me and behaves like me and acts like me it is me and so if i have the second ops team going in and trying to figure out what happened you know to my account or what happened to uh something you know my email is missing they have no way of knowing if i deleted an email or the automation and then finally again i kind of alluded to this earlier um though you can't disable the automation from your site you have to go into the automation itself and stop it because if you do you're going to be stuck with disabling your own account so for example if you're using your email credentials in the automation and it's you know sending off random emails to people the only way that you can stop it without having access to the automation itself is to disable your own email account and that's just a disaster waiting to happen ### [5:19](https://www.youtube.com/watch?v=LlZvtNtpZoI&t=319s) Service Accounts so this is where the service accounts come in my recommendation is that whenever you can create a separate service account for your automation so i will often create an any account uh when i'm doing stuff i will create an automations account for the um the startup that i'm i'm working with um you know we have an account called oasis and that's our automation account and so we know that whenever we see this account we see this information popping up we know that this is an automation doing this so it gives us a bunch of things and the big part of it is around that it isolates the automation from the user so you can independently control the automation uh you know from the user you can disable the account enable the account and it's not going to have any effect on your personal account uh secondly you the user maintains control of his own account so it's not like stuff's going to be happening under your name it's all completely isolated um the automations are very easily auditable because you'll have a different account name showing up as performing the different actions within the system and finally i if the if an automation goes rogue or something happens that shouldn't be happening um it will very quickly be able to go and disable that account and stop it from doing things even if you don't have access to the naden dashboard or any of the other ending in processes ### [6:54](https://www.youtube.com/watch?v=LlZvtNtpZoI&t=414s) Service Accounts for Internet processes so how do you set up service accounts for internet um it it really varies depending upon what platform you're going to be uh going in and working with so let's take a use case here uh just to kind of give you guys an example so you're consulting to a business and that business wants you to have the ability to read their calendar information uh from nan to see people's availability they're using the g suite of systems so normally what you would do is you'd get that person's credentials and go in and access their uh information from their calendar two challenges come up to that so one what if you have a company of 100 people getting a hundred people to come in to nan put in all their credentials set up all that information especially with google because google's can be a challenge with all the different pieces that they need to do with the google console um it's you're easily looking at a couple of hours per person and that's a pretty long project now mind you if you're billing that might not be a bad thing but um you may get some questions on your invoice if you create and enable an account within g suite for accessing the calendars then all you need to do is set up that naden account and then all the users can share their calendars with that nan automation account and then they've got the ability to look at different people's accounts look at their calendars whether they're busy what's available so on and so forth um for other systems so going away from g suite what you might be able to do is create a separate account for them all together and in if you don't need to share information but just access it then you control the permissions so hubspot for example uh you go in create the account in hubspot and then hubspot uh would give ending and the ability to access what it needs based on the roles that it has ### [8:55](https://www.youtube.com/watch?v=LlZvtNtpZoI&t=535s) Summary uh so to summarize you keep independent control of the automation from over from the user maintains control of his own account the automation's actions are easily auditable and the automation can be stopped from the user or the automation side it's really the big advantages that you get from the service account and with that open to some questions or maybe i'll pass it over to partial and uh we'll kind of keep on with the rest of the uh of the event here awesome thank you so much jason for sharing this uh like this small tips can make a lot of difference and we don't realize that so thank you know for sharing this tips and helping us realize how important such small things can be --- *Источник: https://ekstraktznaniy.ru/video/15714*