Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

SAP system authentication on Amazon

Before an SAP system can make calls to Amazon on behalf of SAP users, the SAP system must authenticate itself to Amazon. Amazon SDK for SAP ABAP supports the following three base authentication methods that are selected in the SDK profile settings in IMG.

Amazon SDK for SAP ABAP - BTP edition can only be authenticated with the Secret access key authentication method using SAP Credential Store.

For cross-account access scenarios, SDK for SAP ABAP also supports source profile, which enables chaining multiple IAM role assumptions across accounts using any of the base authentication methods. For more information, see Source profile authentication for cross-account access.

Amazon EC2 instance metadata authentication

SAP systems running on Amazon EC2 can acquire short-lived, automatically-rotating credentials from Amazon EC2 instance metadata. For more information, see Using credentials for Amazon EC2 instance metadata.

We strongly recommend this method of authentication while using SDK for SAP ABAP. To enable, the Basis administrator must enable outbound HTTP communication. No further Basis configuration is required.

Secret access key authentication

With this method, you use an Access Key ID and a Secret Access Key to authenticate your SAP system on Amazon. The SAP system logs into Amazon using an IAM user. For more information, see Managing Access Keys for IAM Users.

The Basis administrator receives an Access Key ID and a Secret Access Key from the Amazon IAM administrator. Your SAP system must be configured to store the Access Key ID and Secret Access Key.

Certificate-based authentication using IAM Roles Anywhere

An X.509 certificate issued by your certificate authority (CA) can be used for authentication with Amazon Identity and Access Management Roles Anywhere. The certificate must be configured in STRUST. The CA must be registered with IAM Roles Anywhere as a trust anchor, and a profile must be created to specify the roles and policies that IAM Roles Anywhere would assume. For more information, see Creating a trust anchor and profile in Amazon Identity and Access Management Roles Anywhere.

For detailed steps on how to use IAM Roles Anywhere with SDK for SAP ABAP, see Using certificates with IAM Roles Anywhere.

Source profile authentication for cross-account access

Source profile is an advanced feature that enables you to chain multiple IAM role assumptions across Amazon accounts. With this method, one profile assumes a role, which then assumes another role, and so on, similar to the source_profile parameter in Amazon CLI.

Source profile works with any of the three base authentication methods (instance metadata, secret access key, or certificate-based). The first profile in the chain must use one of these base methods, and subsequent profiles in the chain use the credentials from the previous profile to assume the next role.

This is useful for cross-account access scenarios where you need to traverse multiple Amazon accounts to reach your target resources. For detailed configuration steps, see Using Source Profile for Cross-Account Access.

Next step

After authenticating your SAP system in Amazon, SDK for SAP ABAP automatically performs an sts:assumeRole to assume the appropriate IAM role for the SAP user’s business function.