Authentication to invoke Cloud Run functions

As a developer, you can write Cloud Run functions, which provide HTTP endpoints. You invoke Cloud Run functions from the ABAP SDK class /GOOG/CL_CLOUDFUNC_INVOKER using their HTTP endpoints.

The process involves calling a Cloud Run function using its name and location to obtain the HTTP endpoint of the function. This endpoint is then used to invoke the function. Authentication to Cloud Run functions requires an ID token to invoke the HTTP endpoint.

The high-level configuration steps are as follows:

Enable the Google Cloud APIs

In the Google Cloud console, enable the following Google Cloud APIs:

For information about how to enable Google Cloud APIs, see Enabling APIs.

Create a service account to get Cloud Run function details

  1. In the Google Cloud console, create an IAM service account to get your Cloud Run function details.

    Go to Service accounts

    For information about how to create a service account, see Create a service account.

  2. Grant the following roles to the service account:

    For instructions, see Grant a single role.

Create another service account to invoke Cloud Run functions

  1. In the Google Cloud console, create a dedicated service account to invoke Cloud Run functions.

    Go to Service accounts

    For information about how to create a service account, see Create a service account.

  2. Depending on the generation of Cloud Run functions that you're invoking, grant the appropriate roles to the service account:

    For more information about the permissions to invoke a function, see Authenticate for invocation.

Set up authentication to Cloud Run functions

Depending on the environment where your SAP system is hosted, you can use one of the following methods to set up token-based authentication to access the Cloud Run functions API:

SAP system hosted on Compute Engine VM

For instructions to set up authentication to access the Cloud Run functions API when your SAP system is hosted on a Compute Engine VM instance, see Authenticate by using access tokens. Configure a client key with the service account that you created to get the Cloud Run function details.

SAP RISE or SAP system hosted outside Google Cloud

Set up authentication to access Cloud Run functions APIs using one of the following authentication methods:

Configure a client key with the service account that you created to get the Cloud Run function details.

Configure client key to invoke Cloud Run functions

Depending on the environment where your SAP system is hosted, you use different values for the client key configuration:

SAP system hosted on Compute Engine VM

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

  3. Click New Entries.

  4. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify a name of the client key configuration.
    Google Cloud Service Account Name

    Specify the name of the service account to which you have granted permissions to invoke Cloud Run functions. For example: sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com.

    Google Cloud Scope Specify the access scope, https://www.googleapis.com/auth/cloud-platform.
    Project ID Specify the ID of the Google Cloud project that has the Cloud Run functions API enabled.
    Command name Leave this field blank.
    Authorization Class Specify the authorization class, /GOOG/CL_AUTH_ID_TOKEN.
    Authorization Field Leave this field blank.
    Token Caching Leave this field blank.
    Token Refresh Seconds Leave this field blank.
    Authorization Parameter 1 Leave this field blank.
    Authorization Parameter 2 Leave this field blank.
  5. Save the new entry.

SAP RISE or SAP system hosted outside Google Cloud

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

  3. Click New Entries.

  4. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify a name of the client key configuration.
    Google Cloud Service Account Name

    Specify the name of the service account to which you have granted permissions to invoke Cloud Run functions. For example: sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com.

    Google Cloud Scope Specify the access scope, https://www.googleapis.com/auth/cloud-platform.
    Project ID Specify the ID of the Google Cloud project that has the Cloud Run functions API enabled.
    Command name Leave this field blank.
    Authorization Class Specify the authorization class as follows:
    • For authentication by using JWT, specify /GOOG/CL_AUTH_JWT_ID_TOKEN.
    • For authentication by using Workload Identity Federation, specify the child class, which contains the implementation of class /GOOG/CL_AUTH_WIF_ID_TOKEN. For more information, see Implement ABAP code to retrieve security tokens from your IdP.
    Authorization Field Leave this field blank.
    Token Caching Leave this field blank.
    Token Refresh Seconds Leave this field blank.
    Authorization Parameter 1
    • For authentication by using JWT, if you're using a custom name for the SSF application, then specify the name of the SSF application that you created in the section Create a new Secure Store and Forward (SSF) Application.
    • For authentication by using Workload Identity Federation, specify the workload identity pool ID.
    Authorization Parameter 2
    • For authentication by using JWT, leave this field blank.
    • For authentication by using Workload Identity Federation, specify the workload identity provider ID.
  5. Save the new entry.

Get support

If you need help resolving problems with the ABAP SDK for Google Cloud, then do the following: