Authenticate by using access tokens

This document shows how to set up authentication to access Google Cloud APIs when your SAP system is hosted on a Compute Engine VM instance.

Set up authentication

To set up authentication, perform the following steps:

In the Google Cloud console, enable the IAM Service Account Credentials API for your Google Cloud project that requires authentication. Along with the IAM Service Account Credentials API, you need to enable any other supported APIs that you plan to access using the SDK.

Go to API library

For information about how to enable Google Cloud APIs, see Enabling APIs.
In the Google Cloud console, create an IAM service account for the host VM instance.

Go to Service accounts

For information about how to create a service account, see Create a service account.
Grant the Service Account Token Creator role to the service account. For instructions, see Grant a single role.
Attach the service account to the VM instance where your SAP workload is running. Also, set the VM's access scope to cloud-platform.
- If you specify the service account by using the Google Cloud console, then the VM's access scope automatically defaults to the cloud-platform scope.
- If you specify the service account by using the Google Cloud CLI or the Compute Engine API, then you need to set the API access scope to Allow full access to all Cloud APIs.
  
  For instructions, see Create a VM and attach the service account.
  
  After updating the scope, restart the VM. If you have multiple VM instances for the same SAP installation, then you must complete this step on all those VM instances.
In the Google Cloud console, create a dedicated IAM service account to access Google Cloud APIs.

Go to Service accounts

For instructions, see Create a service account.
Grant the service account the required IAM roles to access the API functionality. To understand the role requirement for Google Cloud APIs, see the individual API documentation and follow the principle of least privilege. For more information about API specific predefined roles, see Find IAM roles for Google Cloud APIs.
If you created the service account in a different project than the project that contains the Google Cloud APIs, then you must perform additional steps for the service account setup. For more information, see Set up service accounts in a cross-project environment.

In the SAP system, configure the client key:

In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.
Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
Click New Entries.

Enter values for the following fields:

Field	Description
Google Cloud Key Name	Specify a name of the client key configuration. For example, `TEST_PUBSUB`.
Google Cloud Service Account Name	Specify the name of the service account to which you have granted permissions to access Google Cloud APIs. For example, `sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com`. If the host VM of your SAP system that contains the SDK is in a different project than the one with the Google Cloud APIs enabled, then specify the service account which is used for accessing Google Cloud APIs. For more information, see Set up service accounts in a cross-project environment.
Google Cloud Scope	Specify the API access scope, `https://www.googleapis.com/auth/cloud-platform`.
Google Cloud Project Identifier	Specify the ID of the Google Cloud project that contains your target APIs.
Command name	Leave this field blank.
Authorization Class	Specify the authorization class, `/GOOG/CL_AUTH_GOOGLE`.
Token Caching	The flag that determines whether or not the access tokens retrieved from Google Cloud are cached. We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
Token Refresh Seconds	The amount of time, in seconds, before an access token expires and must be refreshed. The default value is `3500`.
Authorization Parameter 1	Leave this field blank.
Authorization Parameter 2	Leave this field blank.

Save the new entry.

In the SAP system, create new RFC destinations for the APIs that you plan to consume using the ABAP SDK for Google Cloud.

For information about creating RFC destinations, see RFC destinations.
In the SAP system, configure the service mapping table for IAM API, and other APIs that you plan to consume using the ABAP SDK for Google Cloud.
1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.
  
  Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.
2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.
3. Click New Entries.
4. Specify RFC destinations for IAM API and other APIs, for example, Pub/Sub API v1.
  
  Name Service Name RFC Destination
  
  Google Cloud Key Name iamcredentials.googleapis.com ZGOOG_IAMCREDENTIALS
  
  Google Cloud Key Name pubsub:v1 ZGOOG_PUBSUB_V1
  
  Note: You must create your own RFC destinations using the sample RFC destinations as templates.
5. Save the new entry.
In the SAP system, validate the authentication configuration. For more information, see Validate authentication configuration.

Name	Service Name	RFC Destination
Google Cloud Key Name	`iamcredentials.googleapis.com`	`ZGOOG_IAMCREDENTIALS`
Google Cloud Key Name	`pubsub:v1`	`ZGOOG_PUBSUB_V1`

Set up service accounts in a cross-project environment

The host VM of your SAP system, which contains the SDK, can be in a different Google Cloud project than the one with the Google Cloud APIs enabled. In this case, you must set up service accounts with the required IAM roles so that the SDK can access the APIs from the different project.

The following table shows an example of service account setup for cross-project API access.

Environment	SAP host VM	Google Cloud APIs
Google Cloud project	`project-sap-host`	`project-google-apis`
Service account assigned to the SAP host VM	`sa-sap-host@project-sap-host.iam.gserviceaccount.com`	N/A
Service account for accessing Google Cloud APIs	`sa-google-apis@project-sap-host.iam.gserviceaccount.com`	N/A
IAM roles for the service account	In the project `project-sap-host`, grant the service account `sa-sap-host@project-sap-host.iam.gserviceaccount.com` Service Account Token Creator role.	In the project `project-google-apis`, add the service account `sa-google-apis@project-sap-host.iam.gserviceaccount.com` as a principle and grant the service account appropriate roles to connect to the Google Cloud APIs.

To set up the service accounts, perform the following steps:

In the Google Cloud project that contains your SAP host VM, grant the service account of the SAP host VM, the Service Account Token Creator role. For more information about the steps, see Grant a single role.
In the Google Cloud project that contains your SAP host VM, create a service account. Note the name of the service account. You specify this name when you add the service account as a principle to the other project that contains the Google Cloud APIs.
In the other project that contains the Google Cloud APIs, add the service account as a principle and grant appropriate roles to connect to the Google Cloud APIs.To add a service account to the Google Cloud project that contains the Google Cloud APIs, perform the following steps:
1. In the Google Cloud console, go to the IAM Permissions page:
  
  Go to IAM permissions
2. Confirm that the name of the project that contains the target Google Cloud APIs is displayed near the top of the page. For example:
  
  Permissions for project "PROJECT_NAME"
  
  If it is not, then switch projects.
3. On the IAM page, click Grant access. The Grant access to "PROJECT_NAME" dialog opens.
4. In the New principals field, specify the name of the service account.
5. In the Select a role field, specify a relevant role. For example, for Pub/Sub, to modify topics and subscriptions, and access to publish and consume messages, you can specify the role Pub/Sub Editor (roles/pubsub.editor).
  
  For more information about API specific predefined roles, see IAM basic and predefined roles reference.
6. Add additional roles as required for your API usage. Implement Google recommended best practices by applying the principle of least privilege.
7. Click Save. The service account appears in the list of project principals on the IAM page.

Validate authentication configuration

To validate the authentication configuration, perform the following steps:

In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.
Click ABAP SDK for Google Cloud > Utilities > Validate Authentication Configuration.
Enter the client key name.
Click Execute to check if the overall flow is configured successfully.

A green check in the Result column indicates that all configurations steps are completed successfully.

Get support

If you need help resolving problems with the ABAP SDK for Google Cloud, then do the following:

Refer to the ABAP SDK for Google Cloud troubleshooting guide.
Ask your questions and discuss ABAP SDK for Google Cloud with the community on Cloud Forums.
Collect all available diagnostic information and contact Cloud Customer Care. For information about contacting Customer Care, see Getting support for SAP on Google Cloud.