As a developer, you can write Cloud Run functions, which provide HTTP
endpoints. You invoke Cloud Run functions from the ABAP SDK class
/GOOG/CL_CLOUDFUNC_INVOKER
using their HTTP endpoints.
The process involves calling a Cloud Run function using its name and location to obtain the HTTP endpoint of the function. This endpoint is then used to invoke the function. Authentication to Cloud Run functions requires an ID token to invoke the HTTP endpoint.
The high-level configuration steps are as follows:
- In Google Cloud, enable the Google Cloud APIs.
- Create a service account and grant roles to get the Cloud Run function details.
- Create another service account and grant roles to invoke Cloud Run functions.
- Set up authentication to Cloud Run functions.
- Configure client key to invoke Cloud Run functions.
Enable the Google Cloud APIs
In the Google Cloud console, enable the following Google Cloud APIs:
For information about how to enable Google Cloud APIs, see Enabling APIs.
Create a service account to get Cloud Run function details
In the Google Cloud console, create an IAM service account to get your Cloud Run function details.
For information about how to create a service account, see Create a service account.
Grant the following roles to the service account:
For instructions, see Grant a single role.
Create another service account to invoke Cloud Run functions
In the Google Cloud console, create a dedicated service account to invoke Cloud Run functions.
For information about how to create a service account, see Create a service account.
Depending on the generation of Cloud Run functions that you're invoking, grant the appropriate roles to the service account:
- For 1st gen functions: Grant the
Cloud Functions Invoker
role to the service account. - For 2nd gen functions: Grant the
Cloud Run Invoker
role to the service account.
For more information about the permissions to invoke a function, see Authenticate for invocation.
- For 1st gen functions: Grant the
Set up authentication to Cloud Run functions
Depending on the environment where your SAP system is hosted, you can use one of the following methods to set up token-based authentication to access the Cloud Run functions API:
SAP system hosted on Compute Engine VM
For instructions to set up authentication to access the Cloud Run functions API when your SAP system is hosted on a Compute Engine VM instance, see Authenticate by using access tokens. Configure a client key with the service account that you created to get the Cloud Run function details.
SAP RISE or SAP system hosted outside Google Cloud
Set up authentication to access Cloud Run functions APIs using one of the following authentication methods:
- Authenticate by using JSON Web Tokens (JWT)
- Authenticate by using tokens through Workload Identity Federation
Configure a client key with the service account that you created to get the Cloud Run function details.
Configure client key to invoke Cloud Run functions
Depending on the environment where your SAP system is hosted, you use different values for the client key configuration:
SAP system hosted on Compute Engine VM
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
Click New Entries.
Enter values for the following fields:
Field Description Google Cloud Key Name Specify a name of the client key configuration. Google Cloud Service Account Name Specify the name of the service account to which you have granted permissions to invoke Cloud Run functions. For example:
sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com
.Google Cloud Scope Specify the access scope, https://www.googleapis.com/auth/cloud-platform
.Project ID Specify the ID of the Google Cloud project that has the Cloud Run functions API enabled. Command name Leave this field blank. Authorization Class Specify the authorization class, /GOOG/CL_AUTH_ID_TOKEN
.Authorization Field Leave this field blank. Token Caching Leave this field blank. Token Refresh Seconds Leave this field blank. Authorization Parameter 1 Leave this field blank. Authorization Parameter 2 Leave this field blank. Save the new entry.
SAP RISE or SAP system hosted outside Google Cloud
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
Click New Entries.
Enter values for the following fields:
Field Description Google Cloud Key Name Specify a name of the client key configuration. Google Cloud Service Account Name Specify the name of the service account to which you have granted permissions to invoke Cloud Run functions. For example:
sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com
.Google Cloud Scope Specify the access scope, https://www.googleapis.com/auth/cloud-platform
.Project ID Specify the ID of the Google Cloud project that has the Cloud Run functions API enabled. Command name Leave this field blank. Authorization Class Specify the authorization class as follows: - For authentication by using JWT, specify
/GOOG/CL_AUTH_JWT_ID_TOKEN
. - For authentication by using Workload Identity Federation,
specify the child class, which contains the implementation
of class
/GOOG/CL_AUTH_WIF_ID_TOKEN
. For more information, see Implement ABAP code to retrieve security tokens from your IdP.
Authorization Field Leave this field blank. Token Caching Leave this field blank. Token Refresh Seconds Leave this field blank. Authorization Parameter 1 - For authentication by using JWT, if you're using a custom name for the SSF application, then specify the name of the SSF application that you created in the section Create a new Secure Store and Forward (SSF) Application.
- For authentication by using Workload Identity Federation, specify the workload identity pool ID.
Authorization Parameter 2 - For authentication by using JWT, leave this field blank.
- For authentication by using Workload Identity Federation, specify the workload identity provider ID.
- For authentication by using JWT, specify
Save the new entry.
Get support
If you need help resolving problems with the ABAP SDK for Google Cloud, then do the following:
Refer to the ABAP SDK for Google Cloud troubleshooting guide.
Ask your questions and discuss ABAP SDK for Google Cloud with the community on Cloud Forums.
Collect all available diagnostic information and contact Cloud Customer Care. For information about contacting Customer Care, see Getting support for SAP on Google Cloud.