Auto-Renew AWS Certificates with Slack Approval Workflow

Download [12.6KB]

Nodes

AWS Certificate Manager (ACM) Auto-Renew with Slack notify & approval

Who’s it for

SRE/DevOps teams managing many ACM certs.
Cloud ops who want hands-off renewals with an approval step in Slack.
MSPs that need auditable reminders and renewals on schedule.

How it works / What it does

Schedule Trigger – runs daily (or your cadence).
Get many certificates – fetches ACM certs (paginate if needed).
Filter: expiring in next 7 days – keeps items where:
- NotAfter before today + 7d
- NotBefore before today (already valid)
Send message and wait for response (Slack) – posts a certificate summary and pauses until Approve/Reject.
Renew a certificate – on Approve, calls the renew action for the item.

How to set up

Credentials
- AWS in n8n with permissions to list/read/renew certs.
- Slack OAuth (bot in the target channel).
Schedule Trigger
- Set to run once per day (e.g., 09:00 local).
Get many certificates
- Region: your ACM region(s).
- If you have several regions, loop regions or run multiple branches.
Filter (IF / Filter node)
- Add these two conditions (AND):
  - {{ $json.NotAfter.toDateTime('s') }} is before {{ $today.plus(7,'days') }}
  - {{ $json.NotBefore.toDateTime('s') }} is before {{ $today }}

Slack → Send & Wait

Message (text input):

:warning: *ACM Certificate Expiry Alert* :warning:

*Domain:* {{ $json.DomainName }}
*SANs:* {{ $json.SubjectAlternativeNameSummaries }}
*ARN:* {{ $json.CertificateArn }}
*Algo:* {{ $json.KeyAlgorithm }}
*Status:* {{ $json.Status }}
*Issued:* {{ $json.IssuedAt | toDate | formatDate("YYYY-MM-DD HH:mm") }}
*Expires:* {{ $json.NotAfter | toDate | formatDate("YYYY-MM-DD HH:mm") }}

Approve to start renewal.

Add two buttons: Approve / Reject (the node will output which was clicked).

Renew a certificate
- Map the CertificateArn from the Slack Approved branch.

Requirements

n8n (current version with Slack Send & Wait).
AWS IAM permissions (read + renew ACM), e.g.:
- acm:ListCertificates, acm:DescribeCertificate, acm:RenewCertificate (plus region access).
Slack bot with permission to post & use interactivity in the target channel.

How to customize the workflow

Window size: change 7 to 14 or 30 days in the filter.
Catch expired: add an OR path {{ $json.NotAfter.toDateTime('s') }} is before {{ $today }} → send a red Slack alert.
Auto-renew w/o approval: bypass Slack and renew directly for low-risk domains.
Multiple regions/accounts: iterate over a list of regions or assume roles per account.
Logging: add a Google Sheet/DB append after Slack click with user, time, result.
Escalation: if no Slack response after N hours, ping @oncall or open a ticket.

Notes

The Slack node pauses execution until a button is clicked—perfect for change control.
Time conversions above assume NotAfter/IssuedAt are Unix seconds ('s'). Adjust if your data differs.