AWS Connector

Here is the section to manage the AWS Connector.

Required By

AWS Trigger

Prerequisites

On Horizon side, you might need to set up a Proxy , used to reach AWS, if necessary.

On AWS side, you need to create a user using the AWS IAM module, and following AWS guide. You should create an access key for that user, and give him appropriate permissions. The created user should hold the following permissions:

  • AWSResourceGroupsReadOnlyAccess

  • ResourceGroupsandTagEditorReadOnlyAccess

  • AWSCertificateManagerFullAccess

After performing these steps, you will get the following information, required later:

  • the AWS Region

  • the User Access Key ID

  • the User Access Key Secret

On top of that, you need to define a Resource Group, using AWS Resource Groups and Tags Editor, with the following characteristics:

  • Group Type: Tag based

  • Resource Type: AWS::CertificateManager::Certificate

  • Tag key and value (e.g. key=manage and value=HRZ)

After performing this steps, you will get the following information, required later:

  • The Resource Group name

  • the Tag name

  • the Tag value

How to configure AWS Connector

1. Log in to Horizon Administration Interface.

2. Access AWS Connectors from the drawer or card: Third Parties  AWS  Connectors.

3. Click on Add Connector.

4. Fill the mandatory fields.

Connection

  • Name* (string input):
    Enter a meaningful connector name. It must be unique for each connector. Horizon uses the name to identify the connector.

  • Region* (string input):
    Enter a valid AWS region. Here’s the region list from AWS.

  • AWS Access Key Credentials (select):
    Select Login credentials containing the User Access Key ID and secret used by Horizon to connect to AWS.

  • Proxy (string select):
    The HTTP/HTTPS proxy to use to reach AWS, if any.

  • Timeout* (finite duration):
    The timeout for Horizon-initiated connections to AWS. Must be a valid finite duration.

Assets identification

  • Resource group name (string input):
    Name of the resource group pointing to the tag name and value.

  • Role ARN (string input):
    Name of the AWS role Horizon will impersonate in ACM.

  • Tag key (string input):
    Name of the tag used to identify certificates managed by Horizon in ACM.

  • Tag value (string input):
    Value of the tag used to identify certificates managed by Horizon in ACM.

Actors and renewal management

  • Throttle duration* (finite duration):
    Set by default at 3 seconds. Must be a valid finite duration.

  • Renewal period (finite duration):
    Certificate renewal period (time before expiration to trigger renewal). Must be a valid finite duration.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the AWS Connector.

You won’t be able to delete an AWS Connector if it is referenced somewhere else.

Synchronize your third party

Your third-party certificates can be synchronized with Horizon using scheduled tasks.

Scheduled tasks are a functionality of WebRA that allows to synchronize automatic renewal or revocation events with a third party periodically with what occurs on a WebRA profile. To be more specific, it will periodically check whether the certificate has entered the "renewal period" that was defined in the connector’s configuration, and renew it automatically if necessary.

1. Refer to the third party connector documentation to create a third party connector.

2. Ensure you have an existing WebRA Profile: renewal will be automated on the selected profile.

3. Follow the documentation of the WebRA Scheduled Tasks section to properly configure a scheduled task.