This document describes how to authenticate to Google Cloud by using tokens through Workload Identity Federation. With Workload Identity Federation, you can grant on-premises or multicloud SAP workloads access to Google Cloud resources without using a service account key. You can use Workload Identity Federation with Amazon Web Services (AWS) or with any identity provider (IdP) that supports OpenID Connect (OIDC), such as Microsoft Azure or SAML 2.0.
Workload Identity Federation follows the OAuth 2.0 token exchange specification. You provide a credential from your IdP to the Security Token Service, which verifies the identity on the credential, and then returns a federated access token in exchange. You can use this federated access token directly with supported services or use it to impersonate a service account and obtain a short-lived access token. The short-lived access token lets you call any Google Cloud APIs that the service account has access to.
For authentication using tokens through Workload Identity Federation, the high-level configuration steps are as follows:
- Prepare your external IdP.
- In Google Cloud, configure Workload Identity Federation.
- In Google Cloud, create a service account.
- In Google Cloud, allow the external workload to impersonate the service account.
- In ABAP SDK for Google Cloud, implement ABAP code to retrieve security tokens from your IdP.
- In ABAP SDK for Google Cloud, configure client key.
Not all Google Cloud products support Workload Identity Federation. Before setting up authentication using Workload Identity Federation, review the list of supported products and limitations. For more information, see Workforce identity federation: supported products and limitations.
Prepare your external IdP
You need to prepare your IdP so that your SAP workload can obtain credentials that can be exchanged for a Google OAuth 2.0 security token.
To prepare your external IdP, perform the steps depending on your IdP:
- If you're using AWS or Azure as your IdP, then follow the instructions to prepare your external IdP.
- If you're using other IdPs, then follow the instructions to prepare your external IdP.
Configure Workload Identity Federation
In Google Cloud, configure workload identity pool and providers.
You configure an identity pool, which is an entity that lets you manage external identities. You also configure a workload identity pool provider, which is an entity that describes a relationship between Google Cloud and your IdP.
To configure Workload Identity Federation, perform the steps depending on your external IdP:
- If you're using AWS or Azure as your IdP, then follow the instructions to create the workload identity pool and provider.
- If you're using other IdPs, then follow the instructions to create the workload identity pool and provider.
Make a note of the following:
- Project number: the project number of the Google Cloud project where you created the workload identity pool.
- Pool ID: a unique ID that identifies the workload identity pool.
- Provider ID: an ID that identifies the workload identity pool provider.
You need them for the ABAP SDK client key configuration.
Create a service account
In Google Cloud console, create a dedicated IAM service account to access Google Cloud APIs. This service account must be a principal in the Google Cloud project that contains the Google Cloud APIs that you plan to consume using the SDK.
In the Google Cloud console, enable the IAM Service Account Credentials API, Security Token Service API, and any other supported APIs that you plan to access using the SDK.
For information about how to enable Google Cloud APIs, see Enabling APIs.
Create a service account that represents the workload.
Grant the service account the required IAM roles to access the API functionality. To understand the role requirement for Google Cloud APIs, see the individual API documentation and follow the principle of least privilege. For more information about API specific predefined roles, see Find IAM roles for Google Cloud APIs.
Allow the external workload to impersonate the service account
To allow the external workload to impersonate the service account, perform the steps depending on your external IdP:
- If you're using AWS or Azure as your IdP, then follow the instructions to allow the external workload to impersonate the service account.
- If you're using other IdPs, then follow the instructions to allow the external workload to impersonate the service account.
Implement ABAP code to retrieve security tokens from your IdP
ABAP SDK for Google Cloud provides an abstract class /GOOG/CL_AUTH_WIF_BASE
,
which has the logic to retrieve OAuth 2.0 security tokens from
the Security Token Service and OAuth 2.0 access tokens from the
IAM Service Account Credentials API. As a developer, you need to
create a child class in your namespace that inherits
from the abstract class /GOOG/CL_AUTH_WIF_BASE
.
To invoke Cloud Run functions from the ABAP SDK for Google Cloud by using
Workload Identity Federation,
the SDK provides another abstract class
/GOOG/CL_AUTH_WIF_ID_TOKEN
. If you set up authentication by using
Workload Identity Federation, then you need to create one more
child class in your namespace that inherits from the abstract class
/GOOG/CL_AUTH_WIF_ID_TOKEN
. You specify this child class in
the Authorization Class field while configuring client key to invoke Cloud Run functions.
Make sure to implement the
method GET_EXT_IDP_TOKEN
in the child class and write the logic to get the
security token from your IdP. Populate the following fields:
CV_TOKEN
: the token retrieved from your IdP in thestring
format.CV_TOKEN_TYPE
: the type of the security token retrieved from your IdP. The supported token types are:urn:ietf:params:oauth:token-type:jwt
urn:ietf:params:oauth:token-type:id_token
urn:ietf:params:aws:token-type:aws4_request
urn:ietf:params:oauth:token-type:access_token
urn:ietf:params:oauth:token-type:saml2
The values populated in CV_TOKEN
and CV_TOKEN_TYPE
are then used by methods of
the abstract class /GOOG/CL_AUTH_WIF_BASE
to exchange and retrieve the
final OAuth 2.0 token, which is used in the API calls.
The following example shows the sample implementations of method
GET_EXT_IDP_TOKEN
for
other Cloud providers such as AWS and Azure.
AWS
Azure
Configure client key
-
In SAP GUI, execute the transaction code
/GOOG/SDK_IMG
.Alternatively, execute the transaction code
SPRO
, and then click SAP Reference IMG. - Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
- Click New Entries.
Enter values for the following fields:
Field Description Google Cloud Key Name Specify a name of the client key configuration. Google Cloud Service Account Name Specify the name of the service account, in email address format, that was created to access Google Cloud APIs in the step Create a service account. For example: sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com
.Google Cloud Scope Leave this field blank. Google Cloud Project Identifier Specify the ID of the Google Cloud project where you created the workload identity pool. Command name Leave this field blank. Authorization Class Specify the child class, which contains the implementation of class /GOOG/CL_AUTH_WIF_BASE
. For more information, see Implement ABAP code to retrieve security tokens from your IdP.Token Caching Leave this field blank. Token Refresh Seconds Leave this field blank. Authorization Parameter 1 Specify the workload identity pool ID. Authorization Parameter 2 Specify the workload identity provider ID. Save the entry.
Get support
If you need help resolving problems with the ABAP SDK for Google Cloud, then do the following:
Refer to the ABAP SDK for Google Cloud troubleshooting guide.
Ask your questions and discuss ABAP SDK for Google Cloud with the community on Cloud Forums.
Collect all available diagnostic information and contact Cloud Customer Care. For information about contacting Customer Care, see Getting support for SAP on Google Cloud.