Managing n8n Secrets With AWS Secrets Manager
n8n stores credentials for many systems. That does not mean every runtime secret should live inside a workflow. When n8n runs on ECS, AWS Secrets Manager should own the platform secrets needed to start the service, connect to dependencies, and decrypt n8n-managed credentials.
The distinction matters. n8n credentials are application data. ECS task secrets are platform configuration. Mixing the two makes rotation and incident response harder.
Context
Problem: Self-hosted n8n deployments often spread secrets across local files, environment files, task definitions, and workflows. Approach: Keep platform secrets in Secrets Manager and inject them into ECS tasks through the task definition. Outcome: Secret access is controlled by IAM, release history is cleaner, and rotation becomes easier to reason about.
Secret inventory
At minimum, track these values:
N8N_ENCRYPTION_KEY.- Database username and password.
- Redis password if Redis authentication is enabled.
- User management JWT secret when explicitly configured.
- SMTP or OIDC secrets for platform login.
- API tokens used by deployment automation.
Workflow-specific API keys may still be stored as n8n credentials, but they need their own ownership, rotation cadence, and blast-radius review.
ECS injection pattern
Use the ECS secrets container definition field instead of plain environment values.
1
2
3
4
5
6
7
8
9
10
11
12
{
"secrets": [
{
"name": "DB_POSTGRESDB_PASSWORD",
"valueFrom": "arn:aws:secretsmanager:us-east-1:111122223333:secret:n8n/prod/db-password"
},
{
"name": "N8N_ENCRYPTION_KEY",
"valueFrom": "arn:aws:secretsmanager:us-east-1:111122223333:secret:n8n/prod/encryption-key"
}
]
}
The task execution role needs permission to retrieve those secrets. The runtime task role should not automatically get broad secret access unless workflows genuinely need it.
Rotation realities
Environment-injected secrets are read when the task starts. If a secret changes, existing tasks do not magically receive the new value. Plan rotation around a forced service deployment and validate the new tasks before draining the old ones.
For N8N_ENCRYPTION_KEY, rotation is more sensitive than ordinary password rotation. Treat it as a controlled maintenance operation with backup, validation, and rollback planning.
Blue team checks
- Alert on Secrets Manager reads by unexpected roles.
- Review task definition diffs for new secret ARNs.
- Confirm production secrets are not referenced by staging services.
- Track who changed secret values and who deployed the task revision.
- Verify container logs never print secret values during startup.
Takeaways
Secrets Manager gives n8n on ECS a clean platform-secret boundary. Keep the task execution role narrow, rotate through deployments, and treat encryption-key handling as a first-class operational risk.