This document shows how to set up authentication to access Google Cloud APIs when your SAP system is running on a host that is on premises, on another cloud provider, in another environment outside of Google Cloud, or managed by SAP through the SAP RISE program. For authentication to Google Cloud, you use Google Cloud signed JSON Web Tokens (JWT) to obtain access tokens from Google Cloud.
The high-level configuration steps are as follows:
- Create a service account for JWT based token retrieval.
- Configure security settings for Google Cloud on the SAP host.
- Enable the Google Cloud APIs.
- Create another service account for authorization to access Google Cloud APIs.
- Create SAP configurations.
- Validate authentication configuration.
Create a service account for JWT based token retrieval
For JWT based authentication to Google Cloud, ABAP SDK for Google Cloud needs an IAM service account.
Create a service account
Create a service account and grant the Service Account Token Creator
IAM
role to the service account.
To create a service account, perform the following steps:
In the Google Cloud console, create an IAM service account for JWT based token retrieval.
For information about how to create a service account, see Create a service account.
Grant the
Service Account Token Creator
role to the service account. For instructions, see Grant a single role.
Create a service account key
You need to create a P12 service account key for the service account used for JWT based token retrieval.
To create a service account key, perform the following steps:
In the Google Cloud console, go to the IAM & Admin Service accounts page.
Select your Google Cloud project.
Click the email address of the service account that you created for JWT based token retrieval in the previous section, Create a service account.
Under the service account name, click the Keys tab.
Click the Add Key drop-down menu, and then select Create new key to create a service account key.
Accept P12 as the key type and click Create.
A private key is downloaded to your computer.
Make a note of the password for the private key file,
notasecret
.Provide the private key and password to your SAP administrator to import the private key into
STRUST
, as described in Import the service account key into STRUST.
Specify the service account for JWT signing
If you created the service account for JWT signing in a different project than the project that contains the Google Cloud APIs, then you need to specify the service account on the SAP host system.
If you created the service account in the same project that contains the Google Cloud APIs, then you can skip this step.
To specify the service account for JWT signing, perform the following steps:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Parameters.
Click New Entries.
In the Parameter Name field, enter
JWT_SERVC_ACCT
. The parameter description is automatically populated.In the Parameter Value field, enter the name of the service account.
Save the new entry.
Configure security settings for Google Cloud on the SAP host system
To enable JWT signing for the service account that you created for JWT based token retrieval, you need to configure security settings for Google Cloud on the SAP host system.
Create a new Secure Store and Forward (SSF) Application
Each SSFAPPLIC
entry lets you save a single service account key.
To save service account keys for multiple projects, you need to create
multiple SSFAPPLIC
entries by following the same steps.
To create a new entry in the table SSFAPPLIC
, perform the following steps:
- In the SAP GUI, enter transaction code
SE16
. - In the Table Name field, enter
SSFAPPLIC
, and create a new entry. - In the APPLIC field, enter a name for your SSF application, such as
ZG_JWT
. - Except the B_INCCERTS, B_DETACHED, B_ASKPWD, and B_DISTRIB fields, select all other fields.
- In the DESCRIPT field, enter
JWT Signature for GCP
. Save the new entry.
This entry becomes a new node in transaction
STRUST
, where you import the service account key.
Enable the STRUST
node
Use transaction SSFA
to enable the STRUST
node for JWT Signature for GCP
.
To enable the STRUST
node, perform the following steps:
- In the SAP GUI, enter transaction code
SSFA
. - Click New Entries.
In the SSF Application drop-down list, select
JWT Signature for GCP
. This is the new entry that you created in the tableSSFAPPLIC
.The application specific SSF parameters are automatically populated.
Save the new entry.
A new node
SSF JWT Signature for GCP
is enabled in transactionSTRUST
.
Import the service account key into STRUST
To import the service account key into STRUST
, perform the following steps:
In the SAP GUI, enter transaction code
STRUST
.Verify the new node in transaction
STRUST
isSSF JWT Signature for GCP
.Import the private key file:
- Select PSE > Import from the menu bar.
- Depending on your SAP system, select the appropriate private key:
- SAP S/4HANA
- Select the P12 private key.
- Enter the file password
notasecret
, and then click OK.
- SAP ECC
- Select the PSE private key. You need to convert the P12 private key that you downloaded earlier into a PSE private key. For more information about converting a P12 key into a PSE key, see Convert P12 key into PSE key.
- Enter the file PIN that you created during the private key conversion from P12 key to PSE key, and then click OK.
- SAP S/4HANA
Select PSE > Save as.
Select SSF Application, and in the corresponding input field, select the new SSF Application node that you created in Create a new Secure Store and Forward (SSF) Application.
Save the new entry.
The service key is attached to the SSF application node
SSF JWT Signature for GCP
.
Convert the P12 private key into PSE key
If your SAP system is SAP NetWeaver 7.0x (SAP ECC), then you need to convert the P12 key into a PSE key.
To convert the P12 key into a PSE key, perform the following steps:
Go to the path:
/usr/sap/SID/SYS/exe/run/
Replace SID with the SAP system ID.
Run the following command after replacing the placeholders:
sapgenpse import_p12 -p PSE_PATH_AND_FILE_NAME P12_PATH_AND_FILE_NAME.p12
Replace the following:
PSE_PATH_AND_FILE_NAME
: specify the path and filename for the PSE fileP12_PATH_AND_FILE_NAME
: specify the path and filename for the P12 key file
Enter the password of P12 private key file,
notasecret
.Create a new PIN for the PSE private key and re-enter your PIN.
Make a note of the PIN, you need to provide this PIN when importing the PSE private key file into
STRUST
.
For information from SAP about about how to convert a P12 key into a PSE key, see:
Enable the Google Cloud APIs
In the Google Cloud console, enable the IAM Service Account Credentials API for your Google Cloud project that requires authentication. Along with the IAM Service Account Credentials API, you need to enable any other supported APIs that you plan to access using the SDK.
For information about how to enable Google Cloud APIs, see Enabling APIs.
Create a service account for authorization to access Google Cloud APIs
For authentication and authorization to access Google Cloud APIs, the ABAP SDK for Google Cloud needs an IAM service account.
Create a service account
In the Google Cloud console, create an IAM service account. This service account must be a principal in the Google Cloud project that contains the Google Cloud APIs that you plan to consume using the SDK. If you create the service account in the same project that contains the Google Cloud APIs, then the service account is added as a principal to the project automatically.
If you create the service account in a project other than the project where the Google Cloud APIs are enabled, then you need to add the service account to that project in an additional step.
In the Google Cloud console, create an IAM service account for authentication and authorization to access Google Cloud APIs.
For information about how to create a service account, see Create a service account.
In the Google Cloud console, grant the service account the required IAM roles to access the API functionality. To understand the role requirement for Google Cloud APIs, see the individual API documentation and follow the principle of least privilege. For more information about API specific predefined roles, see Find IAM roles for Google Cloud APIs.
If you created the service account in a different project than the project that contains the Google Cloud APIs that you plan to consume using the SDK, then note the name of the service account. You specify the name when you add the service account to that project. For more information, see Add the service account to the Google Cloud project.
Add the service account to the Google Cloud project
If you created the service account for ABAP SDK for Google Cloud in a project other than the project that contains the Google Cloud APIs that you plan to consume using the SDK, then you need to add the service account to the Google Cloud project that contains the Google Cloud APIs.
If you created the service account in the same project that contains the Google Cloud APIs, then you can skip this step.
To add an existing service account to the Google Cloud project that contains the Google Cloud APIs, perform the following steps:
In the Google Cloud console, go to the IAM Permissions page:
Confirm that the name of the project that contains the target Google Cloud APIs is displayed near the top of the page. For example:
Permissions for project "
PROJECT_NAME
"If it is not, then switch projects.
On the IAM page, click
Grant access. The Grant access to "PROJECT_NAME
" dialog opens.In the Grant access to "
PROJECT_NAME
" dialog, perform the following steps:- In the New principals field, specify the name of the service account.
In the Select a role field, specify a relevant role. For example, for Pub/Sub, to modify topics and subscriptions, and access to publish and consume messages, you can specify the role Pub/Sub Editor (
roles/pubsub.editor
).For more details about API specific predefined roles, see IAM basic and predefined roles reference.
Add additional roles as required for your API usage. Implement Google recommended best practices by applying the principle of least privilege.
Click Save. The service account appears in the list of project principals on the IAM page.
The service account can now be used to access Google Cloud APIs in this project.
Set up HTTPS connection
The SAP application server is required to connect to Google Cloud APIs through HTTPS.
On the SAP host, confirm that firewall rules or proxies are configured to allow egress traffic from the HTTPS port to the required Google Cloud APIs.
Specifically, your SAP system must be able to access the following API endpoints:
https://iamcredentials.googleapis.com
- API endpoints for the APIs that you want to consume using the SDK.
Create SAP configurations
For JWT based authentication, create the required SAP configurations.
Specify access settings in the client key table
To specify the access settings, perform the following steps:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
Click New Entries.
Enter values for the following fields:
Field Description Google Cloud Key Name Specify a name of the client key configuration. Google Cloud Service Account Name Specify the name of the service account, in email address format, that was created for ABAP SDK for Google Cloud in the step Create a service account. For example:
sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com
.Google Cloud Scope Specify the access scope, https://www.googleapis.com/auth/cloud-platform
.Project ID Specify the ID of the Google Cloud project that contains your target APIs. Command name Leave this field blank. Authorization Class Specify the authorization class, /GOOG/CL_AUTH_JWT
.Authorization Field Leave this field blank. Token Refresh Seconds Leave this field blank. Authorization Parameter 1 Specify the name of the SSF application that you created in the section Create a new Secure Store and Forward (SSF) Application. Save the new entry.
Create new RFC destinations
Create RFC destinations for IAM API and other APIs that you plan to consume using the ABAP SDK for Google Cloud, for example, Pub/Sub API v1.
RFC destination name | Notes |
---|---|
ZGOOG_IAMCREDENTIALS |
This RFC destination targets the IAM API . |
ZGOOG_OAUTH2_TOKEN |
This RFC destination targets Google Cloud endpoint for token based authentication. |
ZGOOG_PUBSUB_V1 |
This RFC destination targets the Pub/Sub API. |
For information about creating RFC destinations, see RFC destinations.
Specify RFC destinations in the service mapping table
In the service mapping table, specify the RFC destinations for IAM API and other APIs that you plan to consume using the ABAP SDK for Google Cloud.
To specify the RFC destinations, perform the following steps:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.
Click New Entries.
Specify RFC destinations for IAM API and other APIs. For example:
Name Service Name RFC Destination Google Cloud Key Name iamcredentials:v1
ZGOOG_IAMCREDENTIALS
Google Cloud Key Name googleapis.com/oauth2
ZGOOG_OAUTH2_TOKEN
Google Cloud Key Name pubsub.googleapis.com
ZGOOG_PUBSUB_V1
Save the new entry.
Validate authentication configuration
To validate the authentication configuration, perform the following steps:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Utilities > Validate Authentication Configuration.
Enter the client key name.
Click Execute to check if the overall flow is configured successfully.
A green check in the Status column indicates that all configurations steps are completed successfully.
Get support
If you need help resolving problems with the ABAP SDK for Google Cloud, then do the following:
Refer to the ABAP SDK for Google Cloud troubleshooting guide.
Ask your questions and discuss ABAP SDK for Google Cloud with the community on Cloud Forums.
Collect all available diagnostic information and contact Cloud Customer Care. For information about contacting Customer Care, see Getting support for SAP on Google Cloud.