Retrieve credentials/secrets from Google Cloud Secret Manager with ABAP SDK for Google Cloud

Retrieve credentials/secrets from Google Cloud Secret Manager with ABAP SDK for Google Cloud

About this codelab

subjectLast updated Jul 17, 2024
account_circleWritten by Devesh Singh

1. Introduction

In this codelab, we have listed the steps on how to retrieve credentials or secrets from Google Cloud Secret Manager API using ABAP SDK for Google Cloud.

The following Google Cloud services are used in this codelab:

  • Secret Manager
  • Cloud Shell

What you'll build

You'll perform the following:

  • Enable Secret Manager API in a Google Cloud project.
  • Create a secret.
  • Add a secret version.
  • Access/Retrieve a secret using ABAP SDK for Google Cloud.

In this codelab, steps for creating a secret and adding a secret version would be done through gcloud commands, but this can also be done by using the client library for Secret Manager provided with the ABAP SDK for Google Cloud.

2. Requirements

  • A browser, such as Chrome or Firefox.
  • A Google Cloud project with billing enabled or Create a 90-Day Free Trial account for Google Cloud Platform.
  • SAP GUI (Windows or Java) installed in your system. If SAP GUI is already installed on your laptop, connect to SAP using the VM external IP address as the Application Server IP. If you are on Mac, then you can also install the SAP GUI for Java available in this link.

3. Before you begin

6757b2fb50ddcc2d.png

  • Run the following commands to authenticate for your account and set the default project to abap-sdk-poc. Zone us-west4-b is used as an example. If needed, please change the project and zone in the following commands based on your preference.
gcloud auth login
gcloud config
set project abap-sdk-poc
gcloud config
set compute/zone us-west4-b

4. Overview

Here is a quick overview of some of the entities of Secret Manager that you would be working with in this codelab:

  • Secret - A secret is a project-global object that contains a collection of metadata and secret versions.
  • Secret version - A secret version stores the actual secret data, such as API keys, passwords, or certificates.

5. Enable Secret Manager in your Google Cloud Project

  1. Go to your Google Cloud Project and click Activate Cloud Shell in the top right corner.

8d15f753321c53e6.png

  1. Execute the following command to enable the Cloud Secret Manager API in your Google Cloud Project.
gcloud services enable secretmanager.googleapis.com

You should now have the Secret Manager API enabled in your Google Cloud Project.

6. Create a Service Account with Secret Manager user roles

To create a service account with required roles, perform the following steps:

  1. Run the following command in the Cloud Shell terminal:
gcloud iam service-accounts create abap-sdk-secretmanager-tester \
--display-name="Service Account for Secret Manager"
  1. Add the required roles to the service account created in the previous step to create a secret, add a secret version, and access a secret version.
gcloud endpoints services add-iam-policy-binding secretmanager.googleapis.com \ --member='serviceAccount:abap-sdk-secretmanager-tester@abap-sdk-poc.iam.gserviceaccount.com' \
--role='roles/roles/secretmanager.secrets.create'
gcloud endpoints services add-iam-policy-binding secretmanager.googleapis.com \ --member='serviceAccount:abap-sdk-secretmanager-tester@abap-sdk-poc.iam.gserviceaccount.com' \
--role='roles/roles/secretmanager.versions.add'
gcloud endpoints services add-iam-policy-binding secretmanager.googleapis.com \ --member='serviceAccount:abap-sdk-secretmanager-tester@abap-sdk-poc.iam.gserviceaccount.com' \
--role='roles/roles/secretmanager.versions.access'

The above commands use abap-sdk-poc as a placeholder for the Google Cloud Project. Replace abap-sdk-poc with your project id.

  • To verify, the role has been added, go to IAM page. The service account you created should be listed along with the role that has been assigned to it.

7. Create a Secret

  • In the cloud shell, run the following command to create a secret with the name "demo-secret" for this codelab:
gcloud secrets create demo-secret \
   
--replication-policy="automatic"

You should be able to see a secret created in your Google Cloud project as shown below.

99a318dbdd37af4e.png

8. Add a secret version

  1. In the cloud shell, run the following command to add a secret version to the secret "demo-secret".
echo -n "This is my super secret data" | \
    gcloud secrets versions add demo
-secret --data-file=-

A secret version is created. To view the details click "demo-secret" .

bbf6b9f2f9c4340a.png

  1. Click the three dots on the right and select View Secret Value, the stored secret is shown.

6f3afd0ac25445bf.png

9. Create SDK configurations in SAP

Now that you have set up the pre-requisites on the Google Cloud side, we can move ahead with the configuration on the SAP side. For authentication and connectivity related configuration, the ABAP SDK for Google Cloud uses table /GOOG/CLIENT_KEY.

To maintain the configuration in the table /GOOG/CLIENT_KEY table, perform the following steps:

  1. In the SAP GUI, enter transaction code SPRO.
  2. Click SAP Reference IMG.
  3. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
  4. Maintain the following values against the fields:

Field

Description

Google Cloud Key Name

SECRET_MANAGER_DEMO

Google Cloud Service Account Name

abap-sdk-secretmanager-tester@abap-sdk-poc.iam.gserviceaccount.com

Google Cloud Scope

https://www.googleapis.com/auth/cloud-platform

Google Cloud Project Identifier

<<Your Google Cloud project ID>>

Authorization Class

/GOOG/CL_AUTH_GOOGLE

Leave the other fields blank.

10. Retrieve secret using the SDK

  1. Log in to your SAP system.
  2. Go to the transaction code SE38 and create a report with the name "ZDEMO_ACCESS_SECRET".
  3. In the pop-up that opens up, provide details as shown below and click Save.

b1ef7c7744ceb5ce.png

  1. In the next pop-up, either select Local Object or provide a package name as appropriate.
  • In the ABAP Editor, add the following code:.
* Data declarations
 DATA:
   lv_p_projects_id TYPE string,
   lv_p_secrets_id  TYPE string,
   lv_p_versions_id TYPE string.

 TRY.
* Open HTTP Connection
     DATA(lo_client) = NEW /goog/cl_secretmgr_v1( iv_key_name = 'SECRET_MANAGER_DEMO' ).

* Populate relevant parameters
 lv_p_projects_id = lo_client->gv_project_id.
 lv_p_secrets_id = 'demo-secret'.
 lv_p_versions_id = 'latest'.

* Call API method: secretmanager.projects.secrets.versions.access
     lo_client->access_versions(
       EXPORTING
         iv_p_projects_id = lv_p_projects_id
         iv_p_secrets_id  = lv_p_secrets_id
         iv_p_versions_id = lv_p_versions_id
       IMPORTING
         es_output        = DATA(ls_output)
         ev_ret_code      = DATA(lv_ret_code)
         ev_err_text      = DATA(lv_err_text)
         es_err_resp      = DATA(ls_err_resp) ).
     IF lo_client->is_success( lv_ret_code ).
      cl_http_utility=>if_http_utility~decode_base64(
        EXPORTING
          encoded = ls_output-payload-data
        RECEIVING
          decoded = DATA(lv_decoded_secret) ).
       DATA(lv_msg) = 'Secret data fetched successfully, Decoded Secret: ' && lv_decoded_secret.
      cl_demo_output=>display( lv_msg ).
     ELSE.
       lv_msg = lv_ret_code && ':' && lv_err_text.
       cl_demo_output=>display( lv_msg ).

     ENDIF.

* Close HTTP Connection
     lo_client->close( ).

   CATCH /goog/cx_sdk INTO DATA(lo_exception).
     MESSAGE lo_exception->get_text( ) TYPE 'E'.

 ENDTRY.
  1. Save and activate the report program.
  2. Execute the report (press F8).

On successful execution you should see the report output as shown below:

24acec0fc2d4d18b.png

11. Congratulations

Congratulations! You have successfully retrieved a secret stored in Google Cloud Platform Secret Manager using ABAP SDK for Google Cloud.

Google Cloud Secret Manager has other features as well, such as:

  • Patching a Secret
  • Destroying a Secret Version
  • Deleting a Secret

You can invoke these Secret Manager features through ABAP SDK for Google Cloud from your SAP applications.

12. Clean up

If you do not wish to continue with the additional codelabs related to ABAP SDK for Google Cloud, please proceed with the cleanup.

Delete the project

  • Delete the Google Cloud project:
gcloud projects delete abap-sdk-poc

Delete individual resources

  1. Delete the compute instance:
gcloud compute instances delete abap-trial-docker
  1. Delete the firewall-rules:
gcloud compute firewall-rules delete sapmachine
  1. Delete the service account:
gcloud iam service-accounts delete \
 abap-sdk-secretmanager-tester@abap-sdk-poc.iam.gserviceaccount.com