Authenticate by using access tokens

This document shows how to set up authentication to access Google Cloud APIs when your SAP system is hosted on a Compute Engine VM instance.

Set up authentication

To set up authentication, perform the following steps:

  1. In the Google Cloud console, enable the IAM Service Account Credentials API for your Google Cloud project that requires authentication. Along with the IAM Service Account Credentials API, you need to enable any other supported APIs that you plan to access using the SDK.

    Go to API library

    For information about how to enable Google Cloud APIs, see Enabling APIs.

  2. In the Google Cloud console, create an IAM service account for the host VM instance.

    Go to Service accounts

    For information about how to create a service account, see Create a service account.

  3. Grant the Service Account Token Creator role to the service account. For instructions, see Grant a single role.

  4. Attach the service account to the VM instance where your SAP workload is running. Also, set the VM's access scope to cloud-platform.

    • If you specify the service account by using the Google Cloud console, then the VM's access scope automatically defaults to the cloud-platform scope.
    • If you specify the service account by using the Google Cloud CLI or the Compute Engine API, then you need to set the API access scope to Allow full access to all Cloud APIs.

      For instructions, see Create a VM and attach the service account.

      After updating the scope, restart the VM. If you have multiple VM instances for the same SAP installation, then you must complete this step on all those VM instances.

  5. In the Google Cloud console, create a dedicated IAM service account to access Google Cloud APIs.

    Go to Service accounts

    For instructions, see Create a service account.

  6. Grant the service account the required IAM roles to access the API functionality. To understand the role requirement for Google Cloud APIs, see the individual API documentation and follow the principle of least privilege. For more information about API specific predefined roles, see Find IAM roles for Google Cloud APIs.

  7. If you created the service account in a different project than the project that contains the Google Cloud APIs, then you must perform additional steps for the service account setup. For more information, see Set up service accounts in a cross-project environment.

  8. In the SAP system, configure the client key:

    1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

      Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

    2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

    3. Click New Entries.

    4. Enter values for the following fields:

      Field Description
      Google Cloud Key Name Specify a name of the client key configuration. For example, TEST_PUBSUB.
      Google Cloud Service Account Name

      Specify the name of the service account to which you have granted permissions to access Google Cloud APIs. For example, sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com.

      If the host VM of your SAP system that contains the SDK is in a different project than the one with the Google Cloud APIs enabled, then specify the service account which is used for accessing Google Cloud APIs. For more information, see Set up service accounts in a cross-project environment.

      Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform.
      Google Cloud Project Identifier Specify the ID of the Google Cloud project that contains your target APIs.
      Command name Leave this field blank.
      Authorization Class Specify the authorization class, /GOOG/CL_AUTH_GOOGLE.
      Token Caching

      The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.

      We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.

      Token Refresh Seconds The amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500.
      Authorization Parameter 1 Leave this field blank.
      Authorization Parameter 2 Leave this field blank.
    5. Save the new entry.

  9. In the SAP system, create new RFC destinations for the APIs that you plan to consume using the ABAP SDK for Google Cloud.

    For information about creating RFC destinations, see RFC destinations.

  10. In the SAP system, configure the service mapping table for IAM API, and other APIs that you plan to consume using the ABAP SDK for Google Cloud.

    1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

      Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

    2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.

    3. Click New Entries.

    4. Specify RFC destinations for IAM API and other APIs, for example, Pub/Sub API v1.

      Name Service Name RFC Destination
      Google Cloud Key Name iamcredentials.googleapis.com ZGOOG_IAMCREDENTIALS
      Google Cloud Key Name pubsub:v1 ZGOOG_PUBSUB_V1
    5. Save the new entry.

  11. In the SAP system, validate the authentication configuration. For more information, see Validate authentication configuration.

Set up service accounts in a cross-project environment

The host VM of your SAP system, which contains the SDK, can be in a different Google Cloud project than the one with the Google Cloud APIs enabled. In this case, you must set up service accounts with the required IAM roles so that the SDK can access the APIs from the different project.

The following table shows an example of service account setup for cross-project API access.

Environment SAP host VM Google Cloud APIs
Google Cloud project project-sap-host project-google-apis
Service account assigned to the SAP host VM [email protected] N/A
Service account for accessing Google Cloud APIs [email protected] N/A
IAM roles for the service account In the project project-sap-host, grant the service account [email protected] Service Account Token Creator role. In the project project-google-apis, add the service account [email protected] as a principle and grant the service account appropriate roles to connect to the Google Cloud APIs.

To set up the service accounts, perform the following steps:

  1. In the Google Cloud project that contains your SAP host VM, grant the service account of the SAP host VM, the Service Account Token Creator role. For more information about the steps, see Grant a single role.
  2. In the Google Cloud project that contains your SAP host VM, create a service account. Note the name of the service account. You specify this name when you add the service account as a principle to the other project that contains the Google Cloud APIs.
  3. In the other project that contains the Google Cloud APIs, add the service account as a principle and grant appropriate roles to connect to the Google Cloud APIs.To add a service account to the Google Cloud project that contains the Google Cloud APIs, perform the following steps:

    1. In the Google Cloud console, go to the IAM Permissions page:

      Go to IAM permissions

    2. Confirm that the name of the project that contains the target Google Cloud APIs is displayed near the top of the page. For example:

      Permissions for project "PROJECT_NAME"

      If it is not, then switch projects.

    3. On the IAM page, click Grant access. The Grant access to "PROJECT_NAME" dialog opens.

    4. In the New principals field, specify the name of the service account.

    5. In the Select a role field, specify a relevant role. For example, for Pub/Sub, to modify topics and subscriptions, and access to publish and consume messages, you can specify the role Pub/Sub Editor (roles/pubsub.editor).

      For more information about API specific predefined roles, see IAM basic and predefined roles reference.

    6. Add additional roles as required for your API usage. Implement Google recommended best practices by applying the principle of least privilege.

    7. Click Save. The service account appears in the list of project principals on the IAM page.

Validate authentication configuration

To validate the authentication configuration, perform the following steps:

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Utilities > Validate Authentication Configuration.

  3. Enter the client key name.

  4. Click Execute to check if the overall flow is configured successfully.

    A green check in the Result column indicates that all configurations steps are completed successfully.

Get support

If you need help resolving problems with the ABAP SDK for Google Cloud, then do the following: