feat: Add AWS CLI profile authentication support

[sofianhamiti]

• Add authentication type selector to AWS credentials (Access Keys vs Profile)
• Support AWS CLI profile names (default and custom profiles)
• Use native AWS SDK fromNodeProviderChain for credential resolution
• Maintain full backwards compatibility with existing access key auth
• Available for Bedrock and all AWS nodes in N8N

Summary

This PR adds support for authenticating with AWS using AWS CLI profiles (from ~/.aws/credentials and ~/.aws/config), in addition to the existing access key authentication.

Why This Change?

• More secure for local development: No need to copy/paste access keys into n8n
• Follows AWS best practices: AWS recommends using profiles and temporary credentials
• Supports all AWS credential types: IAM users, IAM roles, SSO, temporary credentials, etc.
• Easier for users: Users who already have AWS CLI configured can immediately use n8n without additional setup
• Better for teams: Team members can use their individual AWS profiles without sharing credentials

Changes Made

1. AWS Credentials (Aws.credentials.ts): Added "Authentication Type" selector with Access Keys (default) and AWS Profile options
2. Types (types.ts): Extended AwsIamCredentialsType with authenticationType and awsProfile fields
3. Bedrock Node (LmChatAwsBedrock.node.ts): Updated to handle profile-based authentication
4. Dependencies: Added @aws-sdk/credential-providers to both nodes-base and nodes-langchain packages

How to Use

1. Go to Settings → Credentials → Add Credential → AWS (IAM)
2. Select Authentication Type → AWS Profile
3. Enter your AWS profile name (e.g., "default" or custom profile)
4. Select your AWS region
5. Use with any AWS node (Bedrock, S3, Lambda, etc.)

Backwards Compatibility

✅ 100% backwards compatible - existing credentials continue to work unchanged (default type: "Access Keys")

Related Linear tickets, Github issues, and Community forum posts

Related to #21568 - This PR adds AWS CLI profile authentication support, addressing part of the request for better AWS credential chain support.

Review / Merge checklist

• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

[CLAassistant]

All committers have signed the CLA.

[cubic-dev-ai]

1 issue found across 6 files

Prompt for AI agents (all 1 issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/nodes-base/credentials/Aws.credentials.ts">

<violation number="1" location="packages/nodes-base/credentials/Aws.credentials.ts:168">
P1: Avoid switching AWS profiles by mutating process.env for each request; this creates cross-request race conditions and can resolve another user’s credentials. Pass the profile/region directly to fromNodeProviderChain instead of rewriting global env vars.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Ask questions if you need clarification on any suggestion

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

P1: Avoid switching AWS profiles by mutating process.env for each request; this creates cross-request race conditions and can resolve another user’s credentials. Pass the profile/region directly to fromNodeProviderChain instead of rewriting global env vars.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/nodes-base/credentials/Aws.credentials.ts, line 168:

<comment>Avoid switching AWS profiles by mutating process.env for each request; this creates cross-request race conditions and can resolve another user’s credentials. Pass the profile/region directly to fromNodeProviderChain instead of rewriting global env vars.</comment>

<file context>
@@ -87,14 +147,64 @@ export class Aws implements ICredentialType {
+			};
+
+			try {
+				process.env.AWS_PROFILE = profileName;
+				process.env.AWS_REGION = region;
+
</file context>

[n8n-assistant]

Hey @sofianhamiti,

Thank you for your contribution. We appreciate the time and effort you’ve taken to submit this pull request.

Before we can proceed, please ensure the following:
• Tests are included for any new functionality, logic changes or bug fixes.
• The PR aligns with our contribution guidelines.

Regarding new nodes:
We no longer accept new nodes directly into the core codebase. Instead, we encourage contributors to follow our Community Node Submission Guide to publish nodes independently.

If your node integrates with an AI service that you own or represent, please email [email protected] and we will be happy to discuss the best approach.

About review timelines:
This PR has been added to our internal tracker as "GHC-5816". While we plan to review it, we are currently unable to provide an exact timeframe. Our goal is to begin reviews within a month, but this may change depending on team priorities. We will reach out when the review begins.

Thank you again for contributing to n8n.