Identity and access management for SAP programs on Google Cloud

Any application programs that use Google Cloud resources need a Google Cloud identity and permissions before they can access the resources.

IAM service accounts

On Google Cloud, Identity and Access Management (IAM) uses service accounts to establish identities for programs and roles to grant permissions to the service accounts of the programs.

For SAP systems and related programs that run on Compute Engine virtual machines (VMs), create a VM service account that contains only the roles that the SAP systems and other programs need.

Programs that do not run on Google Cloud can use service accounts when they connect to Google Cloud APIs and use a service account key for authentication.

Programs that run on a Compute Engine VM can use the service account of the VM, as long as the VM service account has the roles the program needs. For programs that are running on a Compute Engine VM, using a service account key for authentication is not recommended.

When you create a VM instance using the gcloud command-line tool or the Google Cloud Console, you can specify a service account for the VM instance to use, accept the project default service account, or specify no service account.

When you create an instance by making a request to the API directly without using the gcloud command-line tool or the Google Cloud Console, the default service account does not come enabled with the instance.

If a VM service account doesn't have the roles the program needs, you can add roles to the VM service account or replace the service account with a new VM service account.

The Compute Engine default service account for a project is initially granted the Editor role, which might be too permissive for many enterprise environments.

For more information about the use of roles, permissions, and service accounts by Compute Engine, see:

For information that applies more broadly across Google Cloud, see the IAM documentation:

Deployment Manager and service accounts

If you are deploying your SAP infrastructure by using the Deployment Manager templates that are provided by Google Cloud, you can specify a VM service account in the template.yaml configuration file.

If you do not specify a service account, Deployment Manager deploys the VMs with the default service account of your project.

IAM roles and permissions

IAM provides predefined roles for each Google Cloud resource. Each role contains a set of permissions for the resource that are appropriate to the level of the role. You can add these roles to the service accounts that you create.

For the most restrictive or granular control, you can create custom roles with one or more permissions.

For a list of the predefined roles and the permissions that each contains, see Understanding roles.

For more information about custom roles, see Understanding custom roles.

For more information about roles that are specific to Compute Engine, see Compute Engine IAM roles in the Compute Engine documentation.

IAM roles for SAP systems

The IAM roles that your SAP programs need depends on the resources that the programs use and on the tasks that the programs perform.

For example, if you use Cloud Deployment Manager to deploy your SAP system and specify a service account in the Deployment Manager configuration file, the service account that you specify must include at least the following roles:

  • Service Account User - always required.
  • Compute Instance Admin - always required.
  • Storage Object Viewer - required to download installation media from a Cloud Storage bucket during deployment.
  • Logs Writer - required to write deployment or other messages to Logging.

After the SAP system deploys, the host VM and your SAP programs might not need all of the same permissions that were required during deployment. You can edit the VM service account to remove roles, or change the service account that the VM uses.

Some SAP or related programs require additional roles and, if they are not running on Google Cloud, might require a separate service account. For example: