A place to store n8n, lemlist, Claude, and and Google Sheets Keys
Stop hardcoding API keys in your n8n workflows! This comprehensive guide shows you how to securely store and retrieve API keys using AWS Secrets Manager – for just $1.60/month.
Why Use AWS Secrets Manager?
Before this setup:
- API keys hardcoded in n8n workflows
- Security risks if workflows are shared
- Manual key rotation
- No centralized key management
After this setup:
- All API keys stored securely in AWS
- Automatic encryption at rest
- Centralized management
- Easy rotation and access control
- Costs only $0.40 per secret per month
Overview: What We’ll Build
Claude API Key (Anthropic) → AWS Secrets Manager → n8n Workflows
Lemlist API Key → AWS Secrets Manager → n8n Workflows
Google Sheets Credentials → AWS Secrets Manager → n8n Workflows
Total estimated cost: $1.60/month for 4 API secrets
Part 1: Secure Your AWS Root Account
Step 1: Enable MFA on Root Account
Critical first step – never skip this!
- Sign into AWS Console with your root account (email/password)
- Go to Security Credentials:
- Click your account name (top right) → “Security credentials”
- Find “Multi-factor authentication (MFA)” section
- Click “Assign MFA device”
- Choose “Virtual MFA device”
- Install Microsoft Authenticator on your phone
- Scan the QR code in Microsoft Authenticator
- Enter two consecutive codes:
- Enter first 6-digit code
- Wait 30 seconds for new code
- Enter second 6-digit code
- Click “Assign MFA”
Test it: Sign out and back in – you should now need email + password + MFA code.
Part 2: Create Your Admin User
Stop using the root account for daily tasks!
Step 2: Create Personal Admin User
- Go to IAM → Users → Create user
- User details:
- Username:
n8n-admin(or your preferred name) - ✅ Check “Provide user access to AWS Management Console”
- ✅ Check “I want to create an IAM user”
- Username:
- Set password:
- Select “Custom password”
- Enter strong password (save in password manager!)
- ❌ Uncheck “Users must create new password at next sign-in”
- Click “Next”
- Permissions:
- Select “Attach policies directly”
- Search for “AdministratorAccess”
- ✅ Check “AdministratorAccess”
- Skip tags
- Click “Create user”
Save your credentials:
- Username:
n8n-admin - Console sign-in URL: (AWS provides this)
- Password: (the one you set)
Step 3: Test and Secure Admin User
- Sign out of root account
- Sign in with n8n-admin using the console URL
- Add MFA to admin user:
- Go to IAM → Users → n8n-admin
- Click “Security credentials” tab
- Under MFA section → “Assign MFA device”
- Choose “Virtual MFA device”
- Name:
n8n-admin - iPhone - Scan QR code with Microsoft Authenticator
- Enter two consecutive codes
Test it: Sign out and back in with n8n-admin – should require MFA.
Part 3: Create Service Account for n8n
Step 4: Create n8n Service User
This user will have limited permissions – only read secrets.
- While logged in as n8n-admin:
- Go to IAM → Users → Create user
- User details:
- Username:
n8n-secrets-user - ❌ DO NOT check console access (programmatic only)
- Username:
- Click “Next”
- Permissions:
- Select “Attach policies directly”
- Click “Create policy” (opens new tab)
Step 5: Create Custom Security Policy
In the new policy tab:
- Click “JSON” tab
- Replace all content with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetN8NSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:n8n/*"
]
},
{
"Sid": "ListSecretsForN8N",
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": "*",
"Condition": {
"StringLike": {
"secretsmanager:Name": "n8n/*"
}
}
}
]
}
- Click “Next”
- Policy details:
- Name:
N8N-SecretsManager-Policy - Description:
Allows n8n to read API keys from Secrets Manager
- Name:
- Skip tags
- Click “Create policy”
Step 6: Attach Policy to User
- Return to user creation tab
- Refresh the page if policy doesn’t appear
- Search for:
N8N-SecretsManager-Policy - ✅ Check the policy
- Click “Next”
- Skip tags
- Click “Create user”
Step 7: Create Access Keys
- Go to IAM → Users → n8n-secrets-user
- Click “Security credentials” tab
- Scroll to “Access keys” section
- Click “Create access key”
- Choose use case: “Application running outside AWS”
- Add description:
n8n API keys access - Click “Create access key”
🚨 CRITICAL: Save these immediately – you won’t see them again!
- Access Key ID:
AKIA... - Secret Access Key:
wJalrXUtnFEMI...
Part 4: Get Your API Keys
Step 8: Create Claude API Key
- Go to: https://console.anthropic.com/
- Click “API Keys”
- Click “Create Key”
- Name:
claude-api-production - Copy the full key immediately (starts with
sk-ant-api03-...)
Step 9: Create Lemlist API Key
- Go to: https://app.lemlist.com/
- Sign in to your Lemlist account
- Go to Settings → Integrations
- Click “API” or “Developer”
- Generate new API key:
- Name:
n8n-automation - Copy the API key immediately
- Name:
- Save the key – it typically starts with
ll_or similar format
Step 10: Set Up Google Sheets API Access
Create Google Cloud Project:
- Go to: https://console.cloud.google.com/
- Create new project:
- Project name:
n8n-integrations - Click “Create”
- Project name:
Enable Google Sheets API:
- Go to APIs & Services → Library
- Search for “Google Sheets API”
- Click “Google Sheets API” → “Enable”
Create Service Account:
- Go to APIs & Services → Credentials
- Click “Create Credentials” → “Service Account”
- Service account details:
- Name:
n8n-sheets-access - Description:
Service account for n8n Google Sheets integration
- Name:
- Click “Create and Continue”
- Skip role assignment (we’ll set permissions on individual sheets)
- Click “Done”
Generate Service Account Key:
- Click on your new service account
- Go to “Keys” tab
- Click “Add Key” → “Create new key”
- Choose “JSON” format
- Click “Create”
- Save the downloaded JSON file – it contains all credentials
Alternative: OAuth2 Setup (for user access):
If you prefer OAuth2 instead of service account:
- Go to APIs & Services → Credentials
- Click “Create Credentials” → “OAuth client ID”
- Choose “Desktop application”
- Name:
n8n-oauth-client - Click “Create”
- Save Client ID and Client Secret
- Generate refresh token using OAuth2 playground or similar tool
Part 5: Store Secrets in AWS
Step 11: Create Claude API Secret
- Go to AWS Secrets Manager: https://console.aws.amazon.com/secretsmanager/
- Click “Store a new secret”
- Choose “Other type of secret”
- Key/value pairs:
- Key:
api_key - Value:
sk-ant-api03-[your-full-claude-key]
- Key:
- Leave encryption as default
- Click “Next”
- Secret name:
n8n/claude/api-key - Description:
Claude API key for n8n workflows - Click “Next”
- Disable automatic rotation
- Click “Next”
- Click “Store”
Step 12: Create Lemlist API Secret
- In AWS Secrets Manager, click “Store a new secret”
- Choose “Other type of secret”
- Key/value pairs:
- Key:
api_key - Value:
[your-lemlist-api-key]
- Key:
- Click “Next”
- Secret name:
n8n/lemlist/api-key - Description:
Lemlist API key for email campaign automation - Click “Next”
- Disable automatic rotation
- Click “Next”
- Click “Store”
Step 13: Create Google Sheets Credentials Secret
For Service Account (Recommended):
- Click “Store a new secret”
- Choose “Other type of secret”
- Key/value pairs (from your downloaded JSON file):
- Key:
type, Value:service_account - Key:
project_id, Value:[your-project-id] - Key:
private_key_id, Value:[your-private-key-id] - Key:
private_key, Value:[your-private-key](include the full key with —–BEGIN/END—–) - Key:
client_email, Value:[your-service-account-email] - Key:
client_id, Value:[your-client-id] - Key:
auth_uri, Value:https://accounts.google.com/o/oauth2/auth - Key:
token_uri, Value:https://oauth2.googleapis.com/token
- Key:
- Click “Next”
- Secret name:
n8n/google-sheets/service-account - Description:
Google Sheets service account credentials for n8n - Disable rotation → “Store”
For OAuth2 Setup:
- Click “Store a new secret”
- Choose “Other type of secret”
- Key/value pairs:
- Key:
client_id, Value:[your-oauth-client-id] - Key:
client_secret, Value:[your-oauth-client-secret] - Key:
refresh_token, Value:[your-refresh-token] - Key:
access_token, Value:[your-access-token](optional)
- Key:
- Secret name:
n8n/google-sheets/oauth - Description:
Google Sheets OAuth2 credentials for n8n
Step 14: Verify All Secrets
Go to Secrets Manager dashboard:
- You should see 3-4 secrets with names starting with
n8n/ - Each costs $0.40/month
- All should show “Active” status
Your secrets structure:
n8n/claude/api-key
n8n/lemlist/api-key
n8n/google-sheets/service-account (or oauth)
Part 6: Using in n8n
Step 15: Configure n8n AWS Connection
In your n8n workflows:
- Add AWS Secrets Manager node
- Configure credentials:
- AWS Access Key ID:
AKIA...(from Step 7) - AWS Secret Access Key:
wJalrXUtnFEMI...(from Step 7) - Region:
us-east-2(or your chosen region)
- AWS Access Key ID:
Step 16: Retrieve Claude API Key
AWS Secrets Manager node configuration:
- Secret Name:
n8n/claude/api-key - Version Stage:
AWSCURRENT
Set node to extract the key:
// In a Set node after AWS Secrets Manager
const secretData = JSON.parse($node["AWS Secrets Manager"].json["SecretString"]);
return [{
claude_api_key: secretData.api_key
}];
Step 17: Retrieve Lemlist API Key
AWS Secrets Manager node:
- Secret Name:
n8n/lemlist/api-key
Use in HTTP Request node:
// In HTTP Request node for Lemlist API
// Authorization: Bearer {{$node["Set Lemlist Key"].json["api_key"]}}
Step 18: Retrieve Google Sheets Credentials
For Service Account:
// In a Set node after retrieving Google Sheets secret
const secretData = JSON.parse($node["AWS Secrets Manager"].json["SecretString"]);
return [{
google_service_account: {
type: secretData.type,
project_id: secretData.project_id,
private_key: secretData.private_key,
client_email: secretData.client_email,
// ... other fields
}
}];
Share sheet with service account:
- In Google Sheets, click “Share”
- Add the service account email (from your JSON file)
- Give “Editor” or “Viewer” permissions
Example n8n Workflow Structure
Multi-API Workflow:
1. AWS Secrets Manager → Get Claude API key
2. AWS Secrets Manager → Get Lemlist API key
3. AWS Secrets Manager → Get Google Sheets credentials
4. Set Variables → Extract all keys
5. Google Sheets → Read data
6. Claude API → Process data
7. Lemlist → Send personalized emails
Security Best Practices
✅ What We Implemented
- Root account MFA: Emergency access only
- Admin user MFA: Your daily access
- Service account: Limited permissions, no console access
- Least privilege: n8n user can only read n8n/* secrets
- Encryption: All secrets encrypted at rest
- Audit trail: CloudTrail logs all secret access
🔄 Ongoing Maintenance
Every 90 days:
- Rotate access keys for n8n-secrets-user
- Review secret access logs
- Update API keys in Secrets Manager
Monthly:
- Check AWS bill (should be ~$1.60 for 4 secrets)
- Review CloudTrail logs for unusual activity
Cost Breakdown
| Item | Monthly Cost |
|---|---|
| Claude API secret | $0.40 |
| Lemlist API secret | $0.40 |
| Google Sheets credentials | $0.40 |
| Additional API secrets | $0.40 each |
| Total for 4 secrets | $1.60/month |
Plus minimal charges for API calls (~$0.05 per 10,000 requests)
Troubleshooting Common Issues
“Policy not found during user creation”
- Refresh the browser tab where you’re creating the user
- Policy creation can take 30-60 seconds to propagate
“Access Denied” when retrieving secrets
- Verify the secret name starts with
n8n/ - Check that you’re using the correct AWS region
- Ensure access keys belong to
n8n-secrets-user
“Secret not found” in n8n
- Verify secret name exactly matches (case-sensitive)
- Check AWS region configuration in n8n
- Test API credentials in AWS CLI first
Lemlist API Issues
- Verify your Lemlist plan supports API access
- Check API rate limits in Lemlist dashboard
- Ensure API key has correct permissions for your use case
Google Sheets Access Denied
- For Service Account: Share the specific sheet with service account email
- For OAuth2: Ensure refresh token hasn’t expired
- Check that Google Sheets API is enabled in Google Cloud Console
- Verify the service account has proper IAM roles
High unexpected charges
- Each secret costs $0.40/month (not per access)
- Check if you accidentally enabled Premium HSM encryption
- Review CloudTrail logs for unexpected API usage
Alternative Approaches Considered
Why Not Environment Variables?
- Security: Visible in process lists and logs
- Rotation: Manual updates across all deployments
- Sharing: Difficult to share workflows safely
Why Not n8n Credentials Store?
- Backup: Harder to backup and restore
- Centralization: Not accessible by other applications
- Enterprise: Limited audit and compliance features
Next Steps
Immediate Actions
- Test your setup by creating a simple n8n workflow
- Create secrets for all your current API integrations
- Update existing workflows to use Secrets Manager
- Set calendar reminder for 90-day key rotation
Advanced Configurations
- Set up CloudTrail for detailed audit logging
- Create CloudWatch alarms for unusual secret access
- Implement automated key rotation with Lambda functions
- Use AWS IAM Identity Center for larger team setups
Conclusion
This setup provides enterprise-grade security for your n8n API keys at an incredibly low cost. You now have:
- ✅ Secure storage for all API credentials
- ✅ Centralized management through AWS console
- ✅ Audit trail of all secret access
- ✅ Easy rotation process for keys
- ✅ Cost-effective solution at $1.60/month
The initial setup takes about 30 minutes, but you’ll save hours of security headaches and have peace of mind knowing your API keys are properly secured.
This guide was tested in August 2025 with n8n, AWS Secrets Manager, and Claude API. Costs and interfaces may change over time.