Setting up JWT based Authentication in ABAP SDK for Google Cloud
ABAP SDK for Google Cloud, provides bi-directional, real-time integration between SAP and Google Cloud services. SAP developers can easily leverage this SDK to integrate their SAP applications with Google Cloud services such as Vertex AI, Document AI, Translation AI, Pub/Sub, and more. With the ABAP SDK, customers can accelerate their digital transformation and achieve business goals faster.
There are various methods of authentication when consuming an API using the ABAP SDK. The authentication mechanism supported by the API and the location of your SAP system determine the authentication method.
These are covered in the Authentication guide hosted as part of ABAP SDK for Google Cloud’s public documentation.
This article aims to provide a comprehensive, step-by-step guide with screenshots on how to configure the JWT-based authentication mechanism.
This method of authentication is primarily meant for SAP systems hosted outside of Google Cloud and want to access ABAP SDK supported Google Cloud APIs via service account based authentication.
JWT, or JSON Web Token, is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between two parties as a JSON object. This information can be verified and trusted because it is digitally signed.
JWT Based Authentication
JWT (pronounced as “jot”) stands for JSON Web Tokens that can be used for authentication service accounts. The detailed steps are covered in the following link as well.
As mentioned earlier, this blog post will provide all the steps involved with relevant screenshots, making it easier for you to configure JWT-based authentication for the ABAP SDK for Google Cloud.
Steps:
1: Create a service account for JWT based authentication to Google Cloud
Create JWT Service Account: abap-sdk-jwt-token@xxxxx.iam.gserviceaccount.com and grant the service account the IAM role that is required for creating tokens.
Note: If you have multiple target projects, then ensure that the JWT Service Account: abap-sdk-jwt-token@xxxxx.iam.gserviceaccount.com has been allocated the “Service Account Token creator role in all the projects. In other words the JWT Service Account will be a central account used for JWT signing and to generate an access token on behalf of the Dedicated Service Accounts who have the appropriate roles in the target projects.
Below screenshots clarify the same, let’s assume we have two Google Cloud Projects: project-a & project-b, the JWT service account needs to be included as principal with the above mentioned role in both the projects:
1.2: Create a service account key (P12)
1.3: Enable JWT signing for the service account on the SAP System where the ABAP SDK for Google Cloud is Installed
Add the parameter JWT_SERVC_ACCT to the table /GOOG/SDK_PARAM and configure the service account using transaction code SM30 (table maintenance) or alternatively use the following path:
SPRO -> ABAP SDK for Google Cloud -> Basic Settings -> Configure Parameters
2: Configure security settings for Google Cloud on the SAP System where the ABAP SDK for Google Cloud is installed
2.1: Create a new SSF application and enable STRUST node for the SSF application
Create a new Secure Store and Forward (SSF) Application
Entry in Table SSFAPPLIC for Application: ZG_JWT (Create only if it does not exist)
Please note: In case you use a different name for field APPLIC, this is allowed, however you need to maintain the same name in the field Authorisation Parameter 1 while maintaining the client key entry in the step 4.2
Enable the STRUST node
Use transaction SSFA to enable the STRUST node for JWT Signature for GCP
2.2: Import the service account key into STRUST
Import the download P12 key file using the step mentioned here.
3: Create another service account for authorisation to access Translation API
As an example, we are discussing the use of the Translation API. For other APIs supported by the ABAP SDK for Google Cloud, you may need to create additional service accounts with the appropriate roles.
3.1: Grant the service account the IAM roles that are required to access Cloud Translation API.
Create New Service Account test-translation-v2@xxxxx.iam.gserviceaccount.com with below roles and add to the Google Cloud Project where you have enabled the Google Translation API
Cloud Translation API Admin
Please note — Translation API V2 does not require any additional roles, however this is just for illustration purpose, as you will see in the end we will use the Translation Demo Program for validating the authentication step. Different APIs will require different roles and they need to be assigned accordingly.
3.2: Add the Test-Translation-V2 service account as a principal to the Google Cloud project.
3.3: Set up SSL certificates and HTTPS
4: Create ABAP configurations.
4.1: Create new RFC destinations. (Create if RFCs do not already exist)
Verify the required RFC destination (GOOG_OAUTH2_TOKEN, GOOG_IAMCREDENTIALS, GOOG_TRANSLATION_V2). These RFC destinations will exist in the system.
4.2: Specify access settings in /GOOG/CLIENT_KEY.
Create a JWT based Client Key entry for accessing translation API.
Example Client Key Name: SAMPLE_KEY_JWT
Maintain an entry in table /GOOG/CLIENT_KEY table or alternatively use the following path:
SPRO -> ABAP SDK for Google Cloud -> Basic Settings -> Configure Client Key
4.3: Specify RFC destinations in /GOOG/SERVIC_MAP.
Maintain the following 3 entries in table /GOOG/SERVIC_MAP: (Please create your own RFC destination, this blog uses the RFC destinations provided as default which are for reference purposes only)
You can access the same from the following path
SPRO -> ABAP SDK for Google Cloud -> Basic Settings -> Configure Service Mapping
5. Validate the settings using Authentication Configuration Validator
You can access the Configuration Validation utility by following the below path
SPRO -> ABAP SDK for Google Cloud -> Validate Authentication Configuration
Execute the program by giving the Client Key Configured Above
If you have followed all the above steps correctly then you should get the output as shown above.
In case you get any error, please enable the “Display Troubleshooting Info” checkbox on the selection screen and re-execute this should provide you with help to resolve your issue.
6. Execute the Translation Demo Program
Run the Translation Demo Program using the Client Key Configured above & confirm your configurations are working as expected. You can use the following path:
SPRO -> ABAP SDK for Google Cloud -> Validate Authentication Configuration
On successful execution you should see the below output:
Conclusion
Hope the above blog provided more clarity on all the involved steps in setting up a JWT based authentication in ABAP SDK for Google Cloud with the relevant screenshots along the way
Next Steps
Ready to start using ABAP SDK for Google Cloud?
Bookmark What’s new with the ABAP SDK for Google Cloud for the latest announcements and follow installation and configuration instructions.
Check out these blog posts to get started with ABAP SDK for Google Cloud
- This blog, explains how you can evaluate ABAP SDK for Google Cloud using ABAP Platform Trial 1909 on Google Cloud Platform.
- Read this blog post to get a sneak peek on how a business process such as Sales Order entry in SAP can be automated using ABAP SDK for Google Cloud.
- This blog is an excellent start to understand how BigQuery ML which is a powerful machine learning service that lets you build and deploy models using SQL queries. you can now be accessed with ABAP SDK for Google Cloud.
- Read this blog post to understand how to use Secret Manager with ABAP SDK.
- Also check out blog post about ABAP SDK Code Wizard, and on Application logging as some of the many Engineering excellence delivered as part of ABAP SDK.
Join the community today!
The ABAP SDK for Google Cloud Community is now open! This is a place for you to ask questions, share knowledge, and collaborate with other ABAP developers who are using Google Cloud.
We encourage you to get involved in the community and help us make the ABAP SDK for Google Cloud even better. We have a lot of exciting things planned for the future, and we want you to be a part of it.
Happy Learning!!
Happy Innovating!!