Using AWS Instance Profile for AWS Nodes

First, I love N8N, let me say that. :slight_smile:

I am hosting N8N on AWS. N8N comes with an awesome set of integrations into various aws services like SNS, SES, Lambda etc. But to use any of those services, the AWS credential set requires Access Key and Secret to be stored in the database which is mostly against many security practices as far as AWS is concerned.

Is there any way for the inbuilt nodes (aws sns, ses, lamdba etc), to use a credential from IAM Profile. I can see it happening if the supporting TS files use AWS Sdk rather than using a v4 signing SDK. AWS SDK has both options of AccessKey/Secret and then Instance profile and signs everything up nicely.

Welcome to the community @sajith and great to hear that you love n8n! Always happy if n8n is useful for people!

Yes, you are right. The credentials get saved in the database. It is, however, important to understand that even if somebody would get access to it, they could not read them as they get saved there only encrypted and without the encryption-password (which gets auto-generated the first time n8n starts) the data totally worthless.

We try to avoid using any vendor-specific SDKs in n8n. The reason being that it would make n8n explode sooner rather than later and with each additional dependency the risk of a security vulnerability increases a lot.

I have honestly not that much experience with AWS and the IAM profiles so do not know if it is possible (but if you say I am sure it is) and how much work it would be. Anyway, our resources are sadly currently still extremely limited so that we have to concentrate on things which do not work rather than things which already do but could be slightly improved. Pull-requests for something like that are always more than welcome but we can probably sadly not look into it ourselves the next at least 6+ months. I hope that makes sense and you can understand. Sorry!

@jan - Thank you for your reply. I understand the logic behind no external sdks or as much as possible and i support that view completely.

Would you guys be open to PRs if i try to make this more useful to AWS infrastructure? May be, we can extend it to other cloud infrastructure too, because the most probable place N8N is going to be useful is cloud and I would love to help in anyway i can.

Thanks a lot @sajith for understanding!

Sure we are always more than thankful for any PR that improves n8n. So we would be very happy to have you on board as a contributor!