This document shows how to set up authentication to access Google Cloud APIs when your SAP system is hosted on a Compute Engine VM instance.
Set up authentication
To set up authentication, perform the following steps:
In the Google Cloud console, enable the IAM Service Account Credentials API for your Google Cloud project that requires authentication. Along with the IAM Service Account Credentials API, you need to enable any other supported APIs that you plan to access using the SDK.
For information about how to enable Google Cloud APIs, see Enabling APIs.
In the Google Cloud console, create an IAM service account for the host VM instance.
For information about how to create a service account, see Create a service account.
Grant the
Service Account Token Creator
role to the service account. For instructions, see Grant a single role.Attach the service account to the VM instance where your SAP workload is running. Also, set the VM's access scope to
cloud-platform
.- If you specify the service account by using the Google Cloud console, then
the VM's access scope automatically defaults to the
cloud-platform
scope. If you specify the service account by using the Google Cloud CLI or the Compute Engine API, then you need to set the API access scope to
Allow full access to all Cloud APIs
.For instructions, see Create a VM and attach the service account.
After updating the scope, restart the VM. If you have multiple VM instances for the same SAP installation, then you must complete this step on all those VM instances.
- If you specify the service account by using the Google Cloud console, then
the VM's access scope automatically defaults to the
In the Google Cloud console, create a dedicated IAM service account to access Google Cloud APIs.
For instructions, see Create a service account.
Grant the service account the required IAM roles to access the API functionality. To understand the role requirement for Google Cloud APIs, see the individual API documentation and follow the principle of least privilege. For more information about API specific predefined roles, see Find IAM roles for Google Cloud APIs.
If you created the service account in a different project than the project that contains the Google Cloud APIs, then you must perform additional steps for the service account setup. For more information, see Set up service accounts in a cross-project environment.
In the SAP system, configure the client key:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
Click New Entries.
Enter values for the following fields:
Field Description Google Cloud Key Name Specify a name of the client key configuration. For example, TEST_PUBSUB
.Google Cloud Service Account Name Specify the name of the service account to which you have granted permissions to access Google Cloud APIs. For example,
sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com
.If the host VM of your SAP system that contains the SDK is in a different project than the one with the Google Cloud APIs enabled, then specify the service account which is used for accessing Google Cloud APIs. For more information, see Set up service accounts in a cross-project environment.
Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform
.Google Cloud Project Identifier Specify the ID of the Google Cloud project that contains your target APIs. Command name Leave this field blank. Authorization Class Specify the authorization class, /GOOG/CL_AUTH_GOOGLE
.Token Caching The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.
We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
Token Refresh Seconds The amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500
.Authorization Parameter 1 Leave this field blank. Authorization Parameter 2 Leave this field blank. Save the new entry.
In the SAP system, create new RFC destinations for the APIs that you plan to consume using the ABAP SDK for Google Cloud.
For information about creating RFC destinations, see RFC destinations.
In the SAP system, configure the service mapping table for IAM API, and other APIs that you plan to consume using the ABAP SDK for Google Cloud.
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.
Click New Entries.
Specify RFC destinations for IAM API and other APIs, for example,
Pub/Sub API v1
.Name Service Name RFC Destination Google Cloud Key Name iamcredentials.googleapis.com
ZGOOG_IAMCREDENTIALS
Google Cloud Key Name pubsub:v1
ZGOOG_PUBSUB_V1
Save the new entry.
In the SAP system, validate the authentication configuration. For more information, see Validate authentication configuration.
Set up service accounts in a cross-project environment
The host VM of your SAP system, which contains the SDK, can be in a different Google Cloud project than the one with the Google Cloud APIs enabled. In this case, you must set up service accounts with the required IAM roles so that the SDK can access the APIs from the different project.
The following table shows an example of service account setup for cross-project API access.
Environment | SAP host VM | Google Cloud APIs |
---|---|---|
Google Cloud project | project-sap-host |
project-google-apis |
Service account assigned to the SAP host VM | [email protected] |
N/A |
Service account for accessing Google Cloud APIs | [email protected] |
N/A |
IAM roles for the service account | In the project project-sap-host , grant the service account
[email protected]
Service Account Token Creator role. |
In the project project-google-apis , add the service account
[email protected]
as a principle and grant the service account
appropriate roles to connect to the Google Cloud APIs. |
To set up the service accounts, perform the following steps:
- In the Google Cloud project that contains your SAP host VM,
grant the service account of the SAP host VM, the
Service Account Token Creator
role. For more information about the steps, see Grant a single role. - In the Google Cloud project that contains your SAP host VM, create a service account. Note the name of the service account. You specify this name when you add the service account as a principle to the other project that contains the Google Cloud APIs.
In the other project that contains the Google Cloud APIs, add the service account as a principle and grant appropriate roles to connect to the Google Cloud APIs.To add a service account to the Google Cloud project that contains the Google Cloud APIs, perform the following steps:
In the Google Cloud console, go to the IAM Permissions page:
Confirm that the name of the project that contains the target Google Cloud APIs is displayed near the top of the page. For example:
Permissions for project "
PROJECT_NAME
"If it is not, then switch projects.
On the IAM page, click
Grant access. The Grant access to "PROJECT_NAME
" dialog opens.In the New principals field, specify the name of the service account.
In the Select a role field, specify a relevant role. For example, for Pub/Sub, to modify topics and subscriptions, and access to publish and consume messages, you can specify the role Pub/Sub Editor (
roles/pubsub.editor
).For more information about API specific predefined roles, see IAM basic and predefined roles reference.
Add additional roles as required for your API usage. Implement Google recommended best practices by applying the principle of least privilege.
Click Save. The service account appears in the list of project principals on the IAM page.
Validate authentication configuration
To validate the authentication configuration, perform the following steps:
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG.Click ABAP SDK for Google Cloud > Utilities > Validate Authentication Configuration.
Enter the client key name.
Click Execute to check if the overall flow is configured successfully.
A green check in the Result column indicates that all configurations steps are completed successfully.
Get support
If you need help resolving problems with the ABAP SDK for Google Cloud, then do the following:
Refer to the ABAP SDK for Google Cloud troubleshooting guide.
Ask your questions and discuss ABAP SDK for Google Cloud with the community on Cloud Forums.
Collect all available diagnostic information and contact Cloud Customer Care. For information about contacting Customer Care, see Getting support for SAP on Google Cloud.