About this codelab
1. Introduction
In this codelab, we have listed the steps on how to retrieve credentials or secrets from Google Cloud Secret Manager API using ABAP SDK for Google Cloud.
The following Google Cloud services are used in this codelab:
- Secret Manager
- Cloud Shell
What you'll build
You'll perform the following:
- Enable Secret Manager API in a Google Cloud project.
- Create a secret.
- Add a secret version.
- Access/Retrieve a secret using ABAP SDK for Google Cloud.
In this codelab, steps for creating a secret and adding a secret version would be done through gcloud commands, but this can also be done by using the client library for Secret Manager provided with the ABAP SDK for Google Cloud.
2. Requirements
- A browser, such as Chrome or Firefox.
- A Google Cloud project with billing enabled or Create a 90-Day Free Trial account for Google Cloud Platform.
- SAP GUI (Windows or Java) installed in your system. If SAP GUI is already installed on your laptop, connect to SAP using the VM external IP address as the Application Server IP. If you are on Mac, then you can also install the SAP GUI for Java available in this link.
3. Before you begin
- You have installed ABAP SDK for Google Cloud on your system. You can refer to codelab - Install ABAP Platform Trial 1909 on Google Cloud Platform and Install ABAP SDK to set up a new system.
- You will use Cloud Shell, a command-line environment running in Google Cloud.
- From the Cloud Console, click Activate Cloud Shell on the top right corner:
- Run the following commands to authenticate for your account and set the default project to
abap-sdk-poc
. Zoneus-west4-b
is used as an example. If needed, please change the project and zone in the following commands based on your preference.
gcloud auth login
gcloud config set project abap-sdk-poc
gcloud config set compute/zone us-west4-b
4. Overview
Here is a quick overview of some of the entities of Secret Manager that you would be working with in this codelab:
- Secret - A secret is a project-global object that contains a collection of metadata and secret versions.
- Secret version - A secret version stores the actual secret data, such as API keys, passwords, or certificates.
5. Enable Secret Manager in your Google Cloud Project
- Go to your Google Cloud Project and click Activate Cloud Shell in the top right corner.
- Execute the following command to enable the Cloud Secret Manager API in your Google Cloud Project.
gcloud services enable secretmanager.googleapis.com
You should now have the Secret Manager API enabled in your Google Cloud Project.
6. Create a Service Account with Secret Manager user roles
To create a service account with required roles, perform the following steps:
- Run the following command in the Cloud Shell terminal:
gcloud iam service-accounts create abap-sdk-secretmanager-tester \
--display-name="Service Account for Secret Manager"
- Add the required roles to the service account created in the previous step to create a secret, add a secret version, and access a secret version.
gcloud endpoints services add-iam-policy-binding secretmanager.googleapis.com \ --member='serviceAccount:abap-sdk-secretmanager-tester@abap-sdk-poc.iam.gserviceaccount.com' \
--role='roles/roles/secretmanager.secrets.create'
gcloud endpoints services add-iam-policy-binding secretmanager.googleapis.com \ --member='serviceAccount:abap-sdk-secretmanager-tester@abap-sdk-poc.iam.gserviceaccount.com' \
--role='roles/roles/secretmanager.versions.add'
gcloud endpoints services add-iam-policy-binding secretmanager.googleapis.com \ --member='serviceAccount:abap-sdk-secretmanager-tester@abap-sdk-poc.iam.gserviceaccount.com' \
--role='roles/roles/secretmanager.versions.access'
The above commands use abap-sdk-poc
as a placeholder for the Google Cloud Project. Replace abap-sdk-poc
with your project id.
- To verify, the role has been added, go to IAM page. The service account you created should be listed along with the role that has been assigned to it.
7. Create a Secret
- In the cloud shell, run the following command to create a secret with the name "demo-secret" for this codelab:
gcloud secrets create demo-secret \
--replication-policy="automatic"
You should be able to see a secret created in your Google Cloud project as shown below.
8. Add a secret version
- In the cloud shell, run the following command to add a secret version to the secret "demo-secret".
echo -n "This is my super secret data" | \
gcloud secrets versions add demo-secret --data-file=-
A secret version is created. To view the details click "demo-secret" .
- Click the three dots on the right and select View Secret Value, the stored secret is shown.
9. Create SDK configurations in SAP
Now that you have set up the pre-requisites on the Google Cloud side, we can move ahead with the configuration on the SAP side. For authentication and connectivity related configuration, the ABAP SDK for Google Cloud uses table /GOOG/CLIENT_KEY.
To maintain the configuration in the table /GOOG/CLIENT_KEY table, perform the following steps:
- In the SAP GUI, enter transaction code SPRO.
- Click SAP Reference IMG.
- Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
- Maintain the following values against the fields:
Field | Description |
Google Cloud Key Name | SECRET_MANAGER_DEMO |
Google Cloud Service Account Name | abap-sdk-secretmanager-tester@abap-sdk-poc.iam.gserviceaccount.com |
Google Cloud Scope | https://www.googleapis.com/auth/cloud-platform |
Google Cloud Project Identifier | <<Your Google Cloud project ID>> |
Authorization Class | /GOOG/CL_AUTH_GOOGLE |
Leave the other fields blank.
10. Retrieve secret using the SDK
- Log in to your SAP system.
- Go to the transaction code SE38 and create a report with the name "ZDEMO_ACCESS_SECRET".
- In the pop-up that opens up, provide details as shown below and click Save.
- In the next pop-up, either select Local Object or provide a package name as appropriate.
- In the ABAP Editor, add the following code:.
* Data declarations
DATA:
lv_p_projects_id TYPE string,
lv_p_secrets_id TYPE string,
lv_p_versions_id TYPE string.
TRY.
* Open HTTP Connection
DATA(lo_client) = NEW /goog/cl_secretmgr_v1( iv_key_name = 'SECRET_MANAGER_DEMO' ).
* Populate relevant parameters
lv_p_projects_id = lo_client->gv_project_id.
lv_p_secrets_id = 'demo-secret'.
lv_p_versions_id = 'latest'.
* Call API method: secretmanager.projects.secrets.versions.access
lo_client->access_versions(
EXPORTING
iv_p_projects_id = lv_p_projects_id
iv_p_secrets_id = lv_p_secrets_id
iv_p_versions_id = lv_p_versions_id
IMPORTING
es_output = DATA(ls_output)
ev_ret_code = DATA(lv_ret_code)
ev_err_text = DATA(lv_err_text)
es_err_resp = DATA(ls_err_resp) ).
IF lo_client->is_success( lv_ret_code ).
cl_http_utility=>if_http_utility~decode_base64(
EXPORTING
encoded = ls_output-payload-data
RECEIVING
decoded = DATA(lv_decoded_secret) ).
DATA(lv_msg) = 'Secret data fetched successfully, Decoded Secret: ' && lv_decoded_secret.
cl_demo_output=>display( lv_msg ).
ELSE.
lv_msg = lv_ret_code && ':' && lv_err_text.
cl_demo_output=>display( lv_msg ).
ENDIF.
* Close HTTP Connection
lo_client->close( ).
CATCH /goog/cx_sdk INTO DATA(lo_exception).
MESSAGE lo_exception->get_text( ) TYPE 'E'.
ENDTRY.
- Save and activate the report program.
- Execute the report (press F8).
On successful execution you should see the report output as shown below:
11. Congratulations
Congratulations! You have successfully retrieved a secret stored in Google Cloud Platform Secret Manager using ABAP SDK for Google Cloud.
Google Cloud Secret Manager has other features as well, such as:
- Patching a Secret
- Destroying a Secret Version
- Deleting a Secret
You can invoke these Secret Manager features through ABAP SDK for Google Cloud from your SAP applications.
12. Clean up
If you do not wish to continue with the additional codelabs related to ABAP SDK for Google Cloud, please proceed with the cleanup.
Delete the project
- Delete the Google Cloud project:
gcloud projects delete abap-sdk-poc
Delete individual resources
- Delete the compute instance:
gcloud compute instances delete abap-trial-docker
- Delete the firewall-rules:
gcloud compute firewall-rules delete sapmachine
- Delete the service account:
gcloud iam service-accounts delete \
abap-sdk-secretmanager-tester@abap-sdk-poc.iam.gserviceaccount.com