Metadata authentication Secret access key authentication Certificate-based authentication using IAM Roles Anywhere Next step

SAP system authentication on AWS

Before an SAP system can make calls to AWS on behalf of SAP users, the SAP system must authenticate itself to AWS. AWS SDK for SAP ABAP supports the following three methods of authentication that are selected in the SDK profile settings in IMG.

AWS SDK for SAP ABAP - BTP edition can only be authenticated with the Secret access key authentication method using SAP Credential Store.

Topics

Amazon EC2 instance metadata authentication
Secret access key authentication
Certificate-based authentication using IAM Roles Anywhere
Next step

Amazon EC2 instance metadata authentication

SAP systems running on Amazon EC2 can acquire short-lived, automatically-rotating credentials from Amazon EC2 instance metadata. For more information, see Using credentials for Amazon EC2 instance metadata.

We strongly recommend this method of authentication while using SDK for SAP ABAP. To enable, the Basis administrator must enable outbound HTTP communication. No further Basis configuration is required.

Note

This method of authentication applies only if your SAP systems are running on Amazon EC2. SAP systems hosted on-premises or in other cloud environments cannot authenticate using this method.

Secret access key authentication

With this method, you use an Access Key ID and a Secret Access Key to authenticate your SAP system on AWS. The SAP system logs into AWS using an IAM user. For more information, see Managing Access Keys for IAM Users.

The Basis administrator receives an Access Key ID and a Secret Access Key from the AWS IAM administrator. Your SAP system must be configured to store the Access Key ID and Secret Access Key.

Secure, store, and forward (SSF)
- Use the SSF functionality to authenticate AWS SDK for SAP ABAP. For more information, see Digital Signatures and Encryption.
- You can also test SSF’s envelope and develope functionality with the SSF02 report. For more information, see Testing the SSF Installation.
- The steps for configuring SSF for SDK for SAP ABAP are described in the /AWS1/IMG transaction. Go to Technical Prerequisites, and then select Additional Settings for On-Premises Systems.
SAP Credential Store
- Use SAP Credential Store to authenticate AWS SDK for SAP ABAP - BTP edition. For more information, see What Is SAP Credential Store?
- See Using SAP Credential Store for configuration steps.

Certificate-based authentication using IAM Roles Anywhere

An X.509 certificate issued by your certificate authority (CA) can be used for authentication with AWS Identity and Access Management Roles Anywhere. The certificate must be configured in STRUST. The CA must be registered with IAM Roles Anywhere as a trust anchor, and a profile must be created to specify the roles and policies that IAM Roles Anywhere would assume. For more information, see Creating a trust anchor and profile in AWS Identity and Access Management Roles Anywhere.

For detailed steps on how to use IAM Roles Anywhere with SDK for SAP ABAP, see Using certificates with IAM Roles Anywhere.

Note

Certificate revocation is only supported through the use of imported certificate revocation lists. For more information, see Revocation.

Next step

After authenticating your SAP system in AWS, SDK for SAP ABAP automatically performs an sts:assumeRole to assume the appropriate IAM role for the SAP user’s business function.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security

Best practices for IAM Security