SAP system authentication on Amazon - Amazon SDK for SAP ABAP
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

SAP system authentication on Amazon

Before an SAP system can make calls to Amazon on behalf of SAP users, the SAP system must authenticate itself to Amazon. Amazon SDK for SAP ABAP supports the following three methods of authentication that are selected in the SDK profile settings in IMG.

Amazon SDK for SAP ABAP - BTP edition can only be authenticated with the Secret access key authentication method using SAP Credential Store.

Amazon EC2 instance metadata authentication

SAP systems running on Amazon EC2 can acquire short-lived, automatically-rotating credentials from Amazon EC2 instance metadata. For more information, see Using credentials for Amazon EC2 instance metadata.

We strongly recommend this method of authentication while using SDK for SAP ABAP. To enable, the Basis administrator must enable outbound HTTP communication. No further Basis configuration is required.

Note

This method of authentication applies only if your SAP systems are running on Amazon EC2. SAP systems hosted on-premises or in other cloud environments cannot authenticate using this method.

Secret access key authentication

With this method, you use an Access Key ID and a Secret Access Key to authenticate your SAP system on Amazon. The SAP system logs into Amazon using an IAM user. For more information, see Managing Access Keys for IAM Users.

The Basis administrator receives an Access Key ID and a Secret Access Key from the Amazon IAM administrator. Your SAP system must be configured to store the Access Key ID and Secret Access Key.

  • Secure, store, and forward (SSF)

    • Use the SSF functionality to authenticate Amazon SDK for SAP ABAP. For more information, see Digital Signatures and Encryption.

    • You can also test SSF’s envelope and develope functionality with the SSF02 report. For more information, see Testing the SSF Installation.

    • The steps for configuring SSF for SDK for SAP ABAP are described in the /AWS1/IMG transaction. Go to Technical Prerequisites, and then select Additional Settings for On-Premises Systems.

  • SAP Credential Store

Certificate-based authentication using IAM Roles Anywhere

An X.509 certificate issued by your certificate authority (CA) can be used for authentication with Amazon Identity and Access Management Roles Anywhere. The certificate must be configured in STRUST. The CA must be registered with IAM Roles Anywhere as a trust anchor, and a profile must be created to specify the roles and policies that IAM Roles Anywhere would assume. For more information, see Creating a trust anchor and profile in Amazon Identity and Access Management Roles Anywhere.

For detailed steps on how to use IAM Roles Anywhere with SDK for SAP ABAP, see Using certificates with IAM Roles Anywhere.

Note

Certificate revocation is only supported through the use of imported certificate revocation lists. For more information, see Revocation.

Next step

After authenticating your SAP system in Amazon, SDK for SAP ABAP automatically performs an sts:assumeRole to assume the appropriate IAM role for the SAP user’s business function.