Using n8n without AWS credentials when the workflow is hosted inside AWS

shamimak31 · January 9, 2026, 7:36am

Hi everyone,

I’m planning to deploy n8n inside my AWS VPC (most likely on an EC2 instance or via ECS).

My goal is to allow n8n workflows to access other AWS services (S3, Lambda, DynamoDB, etc.) without manually configuring AWS credentials like access key ID or secret key inside n8n.

Is it possible to use IAM Roles / Instance Profiles so that n8n can automatically authenticate to AWS services via the VPC/EC2 role?

If yes:

What is the recommended deployment approach (EC2 vs ECS vs EKS)?
Does n8n’s AWS nodes support IAM role–based authentication out of the box?
Are there any specific environment variables or configuration changes required?

Any best practices or reference architectures would be really helpful. Thanks!

Wouter_Nigrini · January 9, 2026, 6:11pm

Hi @shamimak31 I dont believe this is possible

arnaud-ch · January 13, 2026, 8:44pm

Would pod identity do the job? I just tried to use the feature but it seems buggy.

Also can I use IRSA as a fail over? I tried it and it’s not working either. So i need to use the Assumed role credential?

all-you-can-pete · January 13, 2026, 10:58pm

The basic AWS credential in n8n supports providing a Session Token to allow the use of temporary security credentials. n8n also provides an Assume Role credential which has the option of using n8n’s system credential to assume a role.

The system credential follows the normal credential chain so, depending on your deployment choice, can be system environment variables, EC2 instance profile, ECS task role or EKS Pod Identity.

If you create a role with the relevant permissions you need and allow it to be assumed by n8n’s system credential, you can use the Assume Role credential to use that role without needing to provide access keys etc.

If you host on EKS, EKS Pod Identity is currently broken and the system credential will default to the instance profile of the node the pod is running on.

arnaud-ch · January 14, 2026, 3:18pm

Thanks @all-you-can-pete for sharing, it was super useful. I’ve got the AWS assume role credential working (connecting successfully), however my next challenge is that the Bedrock node I use doesn’t seem to support it, it only allows me to use a classic AWS role. I’ll revert back here, if / when I find a solution

CriscriptX · February 17, 2026, 2:19pm

Hi guys,
Do you know if it’s solved? I have the same problem.

Thanks for your comments!

all-you-can-pete · March 9, 2026, 11:22am

@CriscriptX - Yes, it was released in v2.10.0