Configuring SAP OData connections
To configure a SAP OData connection:
In Amazon Glue Studio, create a connection by following the steps below:
When selecting a Connection type, select SAP OData.
Provide the Application host URL of the SAP OData instance you want to connect to.
Provide the Application service path of the SAP OData instance you want to connect to.
Provide the Client number of the SAP OData instance you want to connect to.
Provide the Port number of the SAP OData instance you want to connect to.
Provide the Logon language of the SAP OData instance you want to connect to.
Select the Amazon IAM role which Amazon Glue can assume and has permissions for following actions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterface", "ec2:DeleteNetworkInterface", ], "Resource": "*" } ] }
Select the Authentication Type which you want to use for this connection in Amazon Glue.
Custom Auth: enter the following inputs only in case of Basic Auth in the Secrets Manager:
{ "basicAuthUsername": "<your-user-name>", "basicAuthPassword": "<your-pass-word>", "basicAuthDisableSSO": "True/False", "customAuthenticationType": "CustomBasicAuth" }
OAuth 2.0: enter the following inputs only in case of OAuth 2.0:
User Managed Client Application ClientId
USER_MANAGED_CLIENT_APPLICATION_CLIENT_SECRET
(your client secret) in the Secrets ManagerAuthorization Code URL
Authorization Token
OAuth scopes
Select the
(secretName)
Amazon Secret (that you created in the Secrets Manager) which you want to use for this connection in Amazon Glue to put the tokens.Select the network options if you want to use your network.
Grant the IAM role associated with your Amazon Glue job permission to read
secretName
.In your Amazon Glue job configuration, provide
connectionName
as an Additional network connection.
CUSTOM AUTH
This auth type works well for automation scenarios as it allows to use username and password up front with the permissions of a particular user in the SAP OData instance. Amazon Glue is able to use the username and password to authenticate SAP OData APIs. In Amazon Glue, basic authorization is implemented as custom authorization.
For public SAP OData documentation for Basic Auth flow, see HTTP Basic Authentication
AUTHORIZATION_CODE Grant Type
The grant type determines how Amazon Glue communicates with SAP OData to request access to your data. Your choice affects the requirements that you must meet before you create the connection. SAP OData supports only the AUTHORIZATION_CODE
grant type.
This grant type is considered "three-legged" OAuth as it relies on redirecting users to the third-party authorization server to authenticate the user. It is used when creating connections via the Amazon Glue console.
Users may still opt to create their own connected app in SAP OData and provide their own client ID and client secret when creating connections through the Amazon Glue console. In this scenario, they will still be redirected to SAP OData to login and authorize Amazon Glue to access their resources.
This grant type results in a refresh token and access token. The access token is short lived, and may be refreshed automatically without user interaction using the refresh token.
For public SAP OData documentation on creating a connected app for Authorization Code OAuth flow, see Authentication Using OAuth 2.0