This document describes the methods that you can use to authenticate to Google Cloud from the on-premises or any cloud edition of ABAP SDK for Google Cloud.
Applications developed using the ABAP SDK for Google Cloud require authentication to connect to Google Cloud APIs. The SDK enables the usage of Google Cloud recommended best practices for authentication.
For authentication and authorization to access Google Cloud APIs, the SDK mainly uses tokens. The SDK also supports API keys to authenticate to Google Cloud APIs that use API keys.
How to get help with authentication
Depending on the Google Cloud APIs that you need to access, the environment where your SAP system is hosted, and the security requirements of your SAP system, you can choose an appropriate authentication type.
The following table summarizes the token-based authentication types, depending on where your SAP system is hosted:
SAP system location | Authentication type | Instructions |
---|---|---|
SAP RISE, regardless of where the servers are hosted | JSON Web Token (JWT) | Authenticate by using JSON Web Tokens (JWT) |
SAP system hosted on Compute Engine VM | Access tokens | Authenticate by using access tokens |
SAP system hosted outside Google Cloud | JSON Web Token (JWT) | Authenticate by using JSON Web Tokens (JWT) |
Access tokens | Authenticate by using tokens through Workload Identity Federation |
In addition, the SDK supports the following authentication methods for Google Cloud APIs that require specific authentication:
Authentication to Google Cloud APIs by using API keys
Only a few Google Cloud APIs use API keys for authentication, for example, Google Maps Platform. Review the authentication documentation for the service or API that you want to use to determine whether it supports API keys. Regardless of where your SAP system is hosted, you can use API keys for authentication as long as the API that you want to use supports API keys.
To authenticate to Google Cloud API using API keys, use one of the following methods:
- Authenticate by using API keys stored in SAP SSF
- Authenticate by using API keys stored in Secret Manager
Authentication to Google Workspace APIs by using OAuth 2.0 client credentials
To access Google Workspace APIs, you can use OAuth 2.0 client credentials. OAuth 2.0 client credentials let you retrieve a token in the context of an end user, such as a token required to access Google Sheets. Regardless of where your SAP system is hosted, you can use OAuth 2.0 client credentials for authentication to Google Workspace APIs as long as the system supports OAuth 2.0.
For information about setting up authentication to Google Workspace APIs, see Authenticate to Google Workspace APIs by using OAuth 2.0 client credentials.
Authentication to invoke Cloud Run functions by using ID tokens
Authentication to Cloud Run functions requires an ID token. Depending on the environment where your SAP system is hosted, you set up authentication to the Cloud Run functions API, and then configure a client key to invoke Cloud Run functions.
For information about setting up authentication to invoke Cloud Run functions, see Authentication to invoke Cloud Run functions.