Securely Access Google Cloud resources from external SAP Workloads with Workload Identity Federation

Enterprises running SAP ERP often find value in adopting a multi-cloud approach. However, customers need to ensure the security of these multi-cloud integrations. Using Workload Identity Federation (WIF), you can grant on-premises or multi-cloud workloads access to Google Cloud resources, without using a service account key.

In May 2023, Google Cloud launched ABAP SDK for Google Cloud, which provides seamless integration from SAP to Google Cloud Services such as Vertex AI, Pub/Sub and BigQuery. ABAP SDK can be used not only from SAP systems running on Google Cloud, but also from externally hosted SAP workloads, including the ones running on-premise and on other hyperscalers such as Amazon Web Services (AWS) and Azure.

You can now use Workload Identity Federation with ABAP SDK if your SAP workload is running on other hyperscalers or on-premise.

How Workload Identity Federation works

With Workload Identity Federation, you establish a relationship between Google Cloud and your Identity Provider (IdP) such that a credential from your IdP is sent to the Security Token Service (STS), which verifies the identity on the credential, and then returns a federated token in exchange. The token from the Security Token Service is then used to invoke the generateAccessToken method of the IAM Service Account Credentials API to obtain an access token. You use this access token to call the Google Service API.

You can use workload identity federation with Amazon Web Services (AWS), or with any IdP that supports OpenID Connect (OIDC), such as Microsoft Azure, or SAML 2.0.

Workload Identity Federation with ABAP SDK

Below diagram shows how Workload Identity Federation Token Exchange flow is implemented in ABAP SDK.

In the above diagram, External IdP is the Identity Provider of your SAP workloads. You’ll configure this External IdP in Google Cloud Workload Identity Federation.

You can use AWS or Azure as your IdP if your SAP workload is running on those hyperscalers. For on-premise SAP installations, you can use any IdP that supports OpenID Connect (OIDC), such as Okta, SAP BTP XSUAA, and Active Directory.

Regardless of your IdP, you complete the below 4 steps to set up WIF in ABAP SDK.

1. Prepare your external IdP
2. Configure WIF in Google Cloud
3. Implement ABAP code to retrieve a token from your IdP, which will be passed to Security Token Service.
4. Configure WIF in ABAP SDK Client Key

For the ease of implementing Workload Identity Federation in ABAP SDK V1.5 and above, we have included the class /GOOG/CL_AUTH_WIF_BASE in ABAP SDK transport and provided steps and sample implementations for AWS and Azure in our Github repo google-cloud-abap.

Conclusion and Next steps

With Workload Identity Federation and ABAP SDK, you can you securely access Google Cloud resources from your externally hosted SAP workloads. Make sure you follow the Best practices when configuring Workload Identity Federation.

If you have not tried ABAP SDK for Google Cloud yet, use our public documentation to download, install and configure the SDK in your SAP landscape.

Our Github repo has code samples, quick starts and utilities to jump start your innovation journey with ABAP SDK.

Subscribe to our YouTube channel https://www.youtube.com/@SAPOnGoogleCloud to learn all things SAP on Google Cloud.

Happy Learning and Innovating with Google Cloud !