Authenticate by using API keys

This document shows how to set up authentication to access Google Cloud APIs by using API keys. Only a few Google Cloud APIs use API keys for authentication, for example, Google Maps Platform. Review the authentication documentation for the service or API that you want to use to determine whether it supports API keys. Regardless of where your SAP system is hosted, you can use API keys for authentication as long as the API that you want to use supports API keys.

To authenticate to Google Cloud API using API keys, use one of the following methods:

• Authenticate by using API keys stored in SAP SSF
• Authenticate by using API keys stored in Secret Manager

Authenticate by using API key stored in SAP SSF

The high-level configuration steps are as follows:

• Create an API key
• Store the API key in SSF
  • Set up SSF application
  • Create SSF parameters
  • Create a Personal Security Environment (PSE)
  • Store the API key
• Configure client key
• Create new RFC destinations
• Configure service mapping
• Validate authentication configuration

Create an API key

For authentication using API key, you need to create an API key. An API key string is an encrypted string, for example, AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe. ABAP SDK for Google Cloud uses the API key string in HTTP request to securely authenticate when calling a Google Cloud API.

Google Cloud provides multiple ways to create API keys.

To create API keys using the Google Cloud console, perform the following steps:

1. In the Google Cloud console, go to the Credentials page:

   Go to Credentials

2. Click Create Credentials and select API key from the menu.

   • The API key created dialog displays the API key string. Copy your key string and keep it secure. You need this API key to configure authentication to Google Cloud.

   • By default, API keys are unrestricted. We recommended that you restrict API keys by selecting the APIs to which this API key can be used. For more information about adding API restrictions, see Add API restrictions.

Store the API key in SSF

The ABAP SDK for Google Cloud provides an option to securely store API keys using the SAP Secure Store and Forward mechanism (SSF).

By using the SSF option, you can store the API Key in an encrypted format in the table /GOOG/APIKEY_BIN. When an API is called, the API key would be retrieved from the table /GOOG/APIKEY_BIN, decrypted, and appended to the API endpoint URI.

For security purposes, you cannot view the contents of /GOOG/APIKEY_BIN using standard tools, transactions such as SE16, SE16N, or SE11.

Prerequisites

For authentication using API key stored in SAP SSF, you must have version 8.5 and above of the SAP Cryptographic Library installed in your SAP system. For more information about SAP Cryptographic Library, see 1848999 - Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB) and 397175 - SAP Cryptographic software - export control.

To verify the version of SAP Cryptographic Library, perform the following steps:

1. In the SAP GUI, enter transaction code STRUST.
2. Go to the Environment menu, and then click Display SSF Version.

Set up SSF application

In the table SSFAPPLIC, create a new SSF application ZG_APK that encrypts the API key. ZG_APK is the default SSF application name.

Alternatively, you can create an SSF application with your preferred name or use an existing SSF application that has a different name. If you want to use a different SSF application for encryption, then you need to configure the SSF application name in Authorization Parameter 1 of the client key table.

To create a new entry in the table SSFAPPLIC, perform the following steps:

1. In the SAP GUI, enter transaction code SE16.
2. In the Table Name field, enter SSFAPPLIC, and then create a new entry.
3. In the APPLIC field, enter ZG_APK.

4. Specify values in the following fields.

   Field	Value
   APPLIC	ZG_APK
   B_TOOLKIT	Select the flag.
   B_FORMAT	Select the flag.
   B_PAB	Select the flag.
   B_PROFID	Select the flag.
   B_PROFILE	Select the flag.
   B_HASHALG	Leave this field blank.
   B_ENCRALG	Leave this field blank.
   B_INCCERTS	Leave this field blank.
   B_DETACHED	Leave this field blank.
   B_ASKPWD	Leave this field blank.
   B_DISTRIB	Select the flag.
   DESCRIPT	API Key Encryption for GCP

5. Save the new entry.

Create SSF parameters

1. In the SAP GUI, enter transaction code SM30.

2. Open the view VSSFARGS.

3. For application ZG_APK (API Key Encryption for GCP), create a new entry. The application specific SSF parameters are automatically populated.

4. Save the new entry.

Create a Personal Security Environment (PSE)

1. In the SAP GUI, enter transaction code STRUST.

2. Under node SSF API Key Encryption for GCP, right-click and select Create.

3. In the Algorithm field, select RSA. Leave other fields with system-populated default values.

4. Save the new entry.

Store the API key

1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

   Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

2. Click ABAP SDK for Google Cloud > Basic Settings > Configure API Key (Using SSF).

3. In the Google Key Name, enter the name of the client key configuration.

4. In the API Key field, enter the API key that you created earlier in Create an API key.

5. Select Save.

6. Click Execute to store the API key.

Configure client key

1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

   Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

3. Click New Entries.

4. Enter values for the following fields:

   Field	Description
   Google Cloud Key Name	Specify a name of the client key configuration. For example, DEMO_API_KEY.
   Google Cloud Service Account Name	Leave this field blank.
   Google Cloud Scope	Specify the API access scope, https://www.googleapis.com/auth/cloud-platform.
   Project ID	Specify the ID of the Google Cloud project that contains your target APIs.
   Command name	Leave this field blank.
   Authorization Class	Specify the authorization class, /GOOG/CL_AUTH_API_KEY_SSF.
   Token Caching	The flag that determines whether or not the access tokens retrieved from Google Cloud are cached. We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
   Token Refresh Seconds	Specify the amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500.
   Authorization Parameter 1	If the SSF application name is different from ZG_APK, then specify your SSF application name.
   Authorization Parameter 2	Leave this field blank.

5. Save the new entry.

Create new RFC destinations

For the APIs that you plan to consume using the ABAP SDK for Google Cloud, create new RFC destinations.

For information about creating RFC destinations, see RFC destinations.

If RFC destinations are not created and configured, the ABAP SDK for Google Cloud functions using the default API endpoints maintained in individual API client stubs.

Configure service mapping

Configure the service mapping table for the APIs that you plan to consume using the ABAP SDK for Google Cloud.

1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

   Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.

3. Click New Entries.

4. Specify RFC destinations for the APIs that you plan to use, for example, addressvalidation v1. If you're going to consume other APIs, then specify RFC destinations for those APIs.

   Name	Service Name	RFC Destination
   Google Cloud Key Name	addressvalidation:v1	ZGOOG_ADDRVALDN_V1

5. Save the new entry.

Delete an API key

If an API key is no longer used, then you can delete the API key from your SAP system.

To delete an API key, peRForm the following steps:

1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

   Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

2. Click ABAP SDK for Google Cloud > Basic Settings > Configure API Key (Using SSF).

3. In the Google Key Name field, enter the name of the client key configuration.

4. Select Delete.

5. Click Execute to delete the API key.

Authenticate by using API key stored in Secret Manager

The high-level configuration steps are as follows:

• Create an API key
• Create a secret and store the API key
• Configure client key for Secret Manager access
• Configure client key for the secret
• Create new RFC destinations
• Configure service mapping
• Validate API key retrieval from Secret Manager
• Validate authentication configuration

Create an API key

For authentication using API key, you need to create an API key. An API key string is an encrypted string, for example, AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe. ABAP SDK for Google Cloud uses the API key string in HTTP request to securely authenticate when calling a Google Cloud API.

Google Cloud provides multiple ways to create API keys.

To create API keys using the Google Cloud console, perform the following steps:

1. In the Google Cloud console, go to the Credentials page:

   Go to Credentials

2. Click Create Credentials and select API key from the menu.

   • The API key created dialog displays the API key string. Copy your key string and keep it secure. You need this API key to configure authentication to Google Cloud.

   • By default, API keys are unrestricted. We recommended that you restrict API keys by selecting the APIs to which this API key can be used. For more information about adding API restrictions, see Add API restrictions.

Create a secret and store the API key

The ABAP SDK for Google Cloud provides an option to securely store API keys using the Secret Manager service of Google Cloud. For securely storing API key strings, Secret Manager enables you to follow the best practices for securely using API keys.

To create a secret and store the API key, perform the following steps:

1. Enable the Secret Manager API.

   Go to API library

2. In Google Cloud console, create a secret, and store the API key as the latest version.

   Go to Secret manager

For information about how to create a secret, see Create a secret.

The ABAP SDK for Google Cloud by default retrieves only the latest version of a secret.

Configure client key for Secret Manager access

Secret Manager APIs use tokens for authentication. So you need to set up token based authentication to access Secret Manager APIs depending on your SAP deployment.

Use one of the following methods to set up token based authentication to access Secret Manager APIs:

• Authenticate by using access tokens
• Authenticate by using JSON Web Tokens (JWT)
• Authenticate by using tokens through Workload Identity Federation

Note down the client key name that you created for Secret Manager access.

Configure client key for the secret

1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

   Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

3. Click New Entries.

4. Enter values for the following fields:

   Field	Description
   Google Cloud Key Name	Specify a name of the client key configuration. For example, DEMO_API_KEY.
   Google Cloud Service Account Name	Leave this field blank.
   Google Cloud Scope	Specify the API access scope, https://www.googleapis.com/auth/cloud-platform.
   Project ID	Specify the ID of the Google Cloud project that contains your target APIs.
   Command name	Leave this field blank.
   Authorization Class	Specify /GOOG/CL_AUTH_API_KEY_SM.
   Token Caching	The flag that determines whether or not the access tokens retrieved from Google Cloud are cached. We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
   Token Refresh Seconds	Specify the amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500.
   Authorization Parameter 1	Specify the name of the client key that you've created for Secret Manager access. For example, CLIENT_KEY_SM.
   Authorization Parameter 2	Specify the name of the secret, which has the API key stored. For example, TEST_SECRET.

5. Save the new entry.

Create new RFC destinations

For the APIs that you plan to consume using the ABAP SDK for Google Cloud, create new RFC destinations.

For information about creating RFC destinations, see RFC destinations.

If RFC destinations are not created and configured, the ABAP SDK for Google Cloud functions using the default API endpoints maintained in individual API client stubs.

Configure service mapping

Configure the service mapping table for the APIs that you plan to consume using the ABAP SDK for Google Cloud.

1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

   Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.

3. Click New Entries.

4. Specify RFC destinations for the APIs that you plan to use, for example, addressvalidation v1. If you're going to consume other APIs, then specify RFC destinations for those APIs.

   Name	Service Name	RFC Destination
   Google Cloud Key Name	addressvalidation:v1	ZGOOG_ADDRVALDN_V1

5. Save the new entry.

Validate API key retrieval from Secret Manager

To validate API key retrieval from Secret Manager, perform the following steps:

1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

   Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

2. Click ABAP SDK for Google Cloud > Utilities > Validate API key retrieval (Using Secret Manager).
3. Specify the client key name.
4. Click Execute to check if the API key is retrieved successfully from Secret Manager.

Validate authentication configuration

To validate the authentication configuration, perform the following steps:

1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

   Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

2. Click ABAP SDK for Google Cloud > Utilities > Validate Authentication Configuration.

3. Enter the client key name.

4. Click Execute to check if the overall flow is configured successfully.

   A green check in the Result column indicates that all configurations steps are completed successfully.

Get support

If you need help resolving problems with the ABAP SDK for Google Cloud, then do the following:

• Refer to the ABAP SDK for Google Cloud troubleshooting guide.

• Ask your questions and discuss ABAP SDK for Google Cloud with the community on Cloud Forums.

• Collect all available diagnostic information and contact Cloud Customer Care. For information about contacting Customer Care, see Getting support for SAP on Google Cloud.