This document shows you how to set up authentication to access Google Cloud when your SAP system is hosted on a Compute Engine VM instance.
For authentication to Google Cloud and authorization to access BigQuery, a Google Cloud security administrator and an SAP administrator need to complete the following:
- Create a service account for the BigQuery Connector for SAP.
- Grant the service account the IAM roles that are required to access BigQuery.
- Add the BigQuery Connector for SAP service account as a principal in the BigQuery project.
- Configure security settings for Google Cloud on the
SAP LT Replication Server host:
- Grant the host VM permission to obtain access tokens.
- If necessary, modify API access scopes of host VM.
Create a service account
BigQuery Connector for SAP needs an IAM service account for authentication and authorization to access BigQuery.
This service account must be a principal in the Google Cloud project that contains your BigQuery dataset. If you create the service account in the same project as the BigQuery dataset, the service account is added as a principal to the project automatically.
If you create the service account in a project other than the project that contains the BigQuery dataset, you need to add the service account to the BigQuery dataset project in an additional step.
To create a service account, complete the following steps:
In the Google Cloud console, go to the IAM & Admin Service accounts page.
If prompted, select your Google Cloud project.
Click Create Service Account.
Specify a name for the service account and, optionally, a description.
Click Create and Continue.
If you are creating the service account in the same project as the BigQuery dataset, in the Grant this service account access to project panel, select the following roles:
- BigQuery Data Editor
- BigQuery Job User
If you are creating the service account in a different project than the BigQuery dataset, do not grant any roles to the service account.
Click Continue.
As appropriate, grant other users access to the service account.
Click Done. The service account appears in the list of service accounts for the project.
If you created the service account in a different project than the project that contains the BigQuery dataset, note the name of the service account. You specify the name when you add the service account to the BigQuery project. For more information, see Add the service account to the BigQuery project.
The service account is now listed as a principal on the IAM Permissions page of the Google Cloud project in which the service account was created.
Add the service account to the BigQuery project
If you created the service account for BigQuery Connector for SAP in a project other than the project that contains the target BigQuery dataset, you need to add the service account to the BigQuery dataset project.
If you created the service account in the same project as the BigQuery dataset, you can skip this step.
To add an existing service account to the BigQuery dataset project, complete the following steps:
In the Google Cloud console, go to the IAM Permissions page:
Confirm that the name of the project that contains the target BigQuery dataset is displayed near the top of the page. For example:
Permissions for project "
PROJECT_NAME"If it is not, switch projects.
On the IAM page, click Add. The Add principals to "
PROJECT_NAME" dialog opens.In the Add principals to "
PROJECT_NAME" dialog, complete the following steps:- In the New principals field, specify the name of the service account.
- In the Select a role field, specify BigQuery Data Editor.
- Click ADD ANOTHER ROLE. The Select a role field displays again.
- In the Select a role field, specify BigQuery Job User.
- Click Save. The service account appears in the list of project principals on the IAM page.
The service account can now be used to access the BigQuery dataset in this project.
Configure security on the host VM
BigQuery Connector for SAP requires that the Compute Engine VM that is hosting SAP LT Replication Server be configured with the following security options:
- The access scopes of the host VM must be set to allow full access to the Cloud APIs.
- The service account of the host VM must include the IAM Service Account Token Creator role.
If these options are not configured on the host VM, you need to configure them.
To change a VM's access scopes, you need to stop the VM.
Check the API access scopes of the host VM
Check the current access scope setting of the SAP LT Replication Server host VM. If the VM already has full access to all Cloud APIs, you don't need to change the access scopes.
To check the access scope of a host VM, complete the following steps:
Google Cloud console
In the Google Cloud console, open the VM instances page:
If necessary, select the Google Cloud project that contains the SAP LT Replication Server host.
On the VM instances page, click the name of the host VM. The VM details page opens.
Under API and identity management on the host VM details page, check the current setting of Cloud API access scopes:
- If the setting is Allow full access to all Cloud APIs, the setting is correct and you don't need to change it.
- If the setting is not Allow full access to all Cloud APIs, you need to stop the VM and change the setting. For instructions, see the next section.
gcloud CLI
Display the current access scopes of the host VM:
gcloud compute instances describe VM_NAME --zone=VM_ZONE --format="yaml(serviceAccounts)"
If the access scopes don't include
https://www.googleapis.com/auth/cloud-platform, you need to change the access scopes of the host VM. For example, if you were to create a VM instance with a default Compute Engine service account, you would need to change the following default access scopes:serviceAccounts: - email: 600915385160-compute@developer.gserviceaccount.com scopes: - https://www.googleapis.com/auth/devstorage.read_only - https://www.googleapis.com/auth/logging.write - https://www.googleapis.com/auth/monitoring.write - https://www.googleapis.com/auth/servicecontrol - https://www.googleapis.com/auth/service.management.readonly - https://www.googleapis.com/auth/trace.append
If the only scope listed under
scopesishttps://www.googleapis.com/auth/cloud-platform, as in the following example, you don't need to change the scopes:serviceAccounts: - email: 600915385160-compute@developer.gserviceaccount.com scopes: - https://www.googleapis.com/auth/cloud-platform
Change API access scopes of the host VM
If the SAP LT Replication Server host VM does not have full access to the Google Cloud APIs, change the access scopes to allow full access to all Cloud APIs.
To change the setting of Cloud API access scopes for a host VM, complete the following steps:
Google Cloud console
If necessary, limit the roles that are granted to the security account of the host VM.
You can find the security account name on the details page of the host VM under API and identity management. You can change the roles that are granted to a service account in the Google Cloud console on the IAM page under Principals.
If necessary, stop any workloads that are running on the host VM.
In the Google Cloud console, open the VM instances page:
On the VM instance page, click the name of the host VM to open the VM details page.
At the top of the host VM details page, stop the host VM by clicking STOP.
After the VM is stopped, click EDIT.
Under Security and access > Access scopes, select Allow full access to all Cloud APIs.
Click Save.
At the top of the host VM details page, start the host VM by clicking START/RESUME.
If necessary, restart any workloads that are stopped on the host VM.
gcloud CLI
If necessary, adjust the IAM roles that are granted to the VM service account to make sure that access to Google Cloud services from the host VM is appropriately restricted.
For information about how to change the roles that are granted to a service account, see Updating a service account.
If necessary, stop any SAP software that is running on the host VM.
Stop the VM:
gcloud compute instances stop VM_NAME --zone=VM_ZONE
Change the access scopes of the VM:
gcloud compute instances set-service-account VM_NAME --scopes=cloud-platform --zone=VM_ZONE
Start the VM:
gcloud compute instances start VM_NAME --zone=VM_ZONE
If necessary, start the SAP software that is running on the host VM.
Enable the host VM to obtain access tokens
You need to grant the service account of the host VM permission to obtain the access tokens that the BigQuery Connector for SAP requires to access BigQuery.
To grant permission to create access tokens, complete the following steps:
In the Google Cloud console, open the Compute Engine VM instances page:
Click the name of the host VM to open the VM details page.
On the VM details page, under API and identity management, make a note of the name of the service account. The following example name is for a default Compute Engine service account:
SVC-ACCT-NUMBER-compute@developer.gserviceaccount.com
In the Google Cloud console, go to the IAM page:
In the list of project principals, find the service account name and click Edit principal. The Edit permissions dialog opens.
In the Edit permissions dialog, click ADD ANOTHER ROLE. The Select a role field displays.
In the Select a role field, specify Service Account Token Creator.
Click Save. You are returned to the IAM permissions page.
The host VM now has permission to create access tokens.
Set up TLS/SSL certificates and HTTPS
Communication between BigQuery Connector for SAP and the BigQuery API is secured by using TLS/SSL and HTTPS.
For connecting to Google services, follow the Google Trust Services advice. At a minimum, you must download all root CA certificates from the Google Trust Services repository.
To ensure that you're using the latest trusted root CA certificates, we recommend that you update your system's root certificate store every six months. Google announces new and removed root CA certificates at Google Trust Services. For receiving automatic notifications, subscribe to the RSS feed on Google Trust Services.
In the SAP GUI, use the
STRUSTtransaction to import the root CA certificates into theSSL client SSL Client (Standard)PSE folder.For more information from SAP, see SAP Help - Maintain PSE Certification list.
On the SAP LT Replication Server host, confirm that any firewall rules or proxies are configured to allow egress traffic from the HTTPS port to the BigQuery API.
Specifically, SAP LT Replication Server needs to be able to access the following Google Cloud APIs:
https://bigquery.googleapis.comhttps://iamcredentials.googleapis.com
If you want BigQuery Connector for SAP to access Google Cloud APIs through Private Service Connect endpoints in your VPC network, then you must configure RFC destinations and specify your Private Service Connect endpoints in those RFC destinations. For more information, see RFC destinations.
For more information from SAP about setting up TLS/SSL, see SAP Note 510007 - Additional considerations for setting up TLS/SSL on Application Server ABAP.
Validate HTTP and HTTPS ports in Internet Communication Manager (ICM)
The VM metadata is stored on a metadata server, which is only accessible through an HTTP port. Therefore, you must validate that an HTTP port along with an HTTPS port is created and active in order to access the VM metadata.
- In the SAP GUI, enter transaction code
SMICM. - On the menu bar, click Goto > Services. A green check in the Actv column indicates that the HTTP and HTTPS ports are active.
For information about configuring the HTTP and HTTPS ports, see HTTP(S) Settings in ICM.
Test Google Cloud authentication and authorization
Confirm that you have configured Google Cloud authentication correctly by requesting an access token and retrieving information about your BigQuery dataset.
Use the following procedure to test your Google Cloud authentication and authorization from the SAP LT Replication Server host VM:
On the SAP LT Replication Server host VM, open a command-line shell.
Switch to the
sidadmuser.Request the first access token from the metadata server of the host VM:
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
The metadata server returns an access token that is similar to the following example, in which ACCESS_TOKEN_STRING_1 is an access token string that you copy into the command in the following step:
{"access_token":"ACCESS_TOKEN_STRING_1", "expires_in":3599,"token_type":"Bearer"}Request the second access token from the IAM API by issuing the following command after replacing the placeholder values:
Linux
curl --request POST \ "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT:generateAccessToken" \ --header "Authorization: Bearer ACCESS_TOKEN_STRING_1" \ --header "Accept: application/json" \ --header "Content-Type: application/json" \ --data "{"scope":["https://www.googleapis.com/auth/bigquery"],"lifetime":"300s"}" \ --compressedWindows
curl --request POST ` "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT:generateAccessToken" ` --header "Authorization: Bearer ACCESS_TOKEN_STRING_1" ` --header "Accept: application/json" ` --header "Content-Type: application/json" ` --data "{"scope":["https://www.googleapis.com/auth/bigquery"],"lifetime":"300s"}" ` --compressedReplace the following:
SERVICE_ACCOUNT: the service account that you created for BigQuery Connector for SAP in an earlier step.ACCESS_TOKEN_STRING_1: the first access token string from the preceding step.
The IAM API returns a second access token, ACCESS_TOKEN_STRING_2, that is similar to the following example. In the next step, you copy this second token string into a request to the BigQuery API.
{"access_token":"ACCESS_TOKEN_STRING_2","expires_in":3599,"token_type":"Bearer"}Retrieve information about your BigQuery dataset from the BigQuery API by issuing the following command after replacing the placeholder values:
Linux
curl "https://bigquery.googleapis.com/bigquery/v2/projects/PROJECT_ID/datasets/DATASET_NAME" \ -H "Accept: application/json" -H "Authorization: Bearer ACCESS_TOKEN_STRING_2"
Windows
curl "https://bigquery.googleapis.com/bigquery/v2/projects/PROJECT_ID/datasets/DATASET_NAME" ` -H "Accept: application/json" -H "Authorization: Bearer ACCESS_TOKEN_STRING_2"
Replace the following:
PROJECT_ID: the ID of the project that contains your BigQuery dataset.DATASET_NAME: the name of the target dataset as defined in BigQuery.ACCESS_TOKEN_STRING_2: the access token string returned by IAM API in the preceding step.
If your Google Cloud authentication is configured correctly, then information about the dataset is returned.
If it is not configured correctly, see BigQuery Connector for SAP troubleshooting.