This document describes the methods that you can use to authenticate to Google Cloud from the on-premises or any cloud edition of ABAP SDK for Google Cloud.
Applications developed using the ABAP SDK for Google Cloud require authentication to connect to Google Cloud APIs. The SDK enables the usage of Google Cloud recommended best practices for authentication.
For authentication and authorization to access Google Cloud APIs, the SDK mainly uses tokens. The SDK also supports API keys to authenticate to Google Cloud APIs that use API keys.
Choose an authentication method
Depending on the Google Cloud APIs that you need to access, the environment where your SAP system is hosted, and the security requirements of your SAP system, you can choose an appropriate authentication method.
The following table summarizes the token-based authentication methods, depending on where your SAP system is hosted:
| SAP system location | Authentication method | Instructions |
|---|---|---|
| SAP RISE, regardless of where the servers are hosted | JSON Web Token (JWT) | Authenticate with JSON Web Tokens (JWT) |
| Access tokens | Authenticate with tokens through Workload Identity Federation | |
| SAP system hosted on Compute Engine VMs | Access tokens | Authenticate with access tokens for Compute Engine VMs |
| Access tokens | Authenticate with access tokens through Workload Identity Federation (VM metadata) | |
| SAP system hosted outside Google Cloud | JSON Web Token (JWT) | Authenticate with JSON Web Tokens (JWT) |
| Access tokens | Authenticate with access tokens through Workload Identity Federation (external IdPs) |
In addition, the SDK supports the following authentication methods for Google Cloud APIs that require specific authentication:
Authenticate with API keys to invoke Google Cloud APIs
Only a few Google Cloud APIs use API keys for authentication, for example, Google Maps Platform. Review the authentication documentation for the service or API that you want to use to determine whether it supports API keys. Regardless of where your SAP system is hosted, you can use API keys for authentication as long as the API that you want to use supports API keys.
To authenticate to Google Cloud API using API keys, use one of the following methods:
Authenticate with OAuth 2.0 client credentials to invoke Google Workspace APIs
To access Google Workspace APIs, you can use OAuth 2.0 client credentials. OAuth 2.0 client credentials let you retrieve a token in the context of an end user, such as a token required to access Google Sheets. Regardless of where your SAP system is hosted, you can use OAuth 2.0 client credentials for authentication to Google Workspace APIs as long as the system supports OAuth 2.0.
For information about setting up authentication to Google Workspace APIs, see Authenticate to Google Workspace APIs with OAuth 2.0 client credentials.
Authenticate with ID tokens for Cloud Run functions
Authentication to Cloud Run functions requires an ID token. Depending on the environment where your SAP system is hosted, you set up authentication to the Cloud Run functions API, and then configure a client key to invoke Cloud Run functions.
For information about setting up authentication to invoke Cloud Run functions, see Authenticate with ID tokens for Cloud Run functions.