Many API’s which are part of Google Library use API key as a credential for execution. As best practice, we should not embed credentials directly in code or application source tree. The ideal way would be to store them centrally with access restricted to administrators. Storing centrally also means that the application using these credentials need to have an easy way to retrieve them for their functioning.
Google Cloud Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.
ABAP SDK provides an implicit way to connect and use Google Cloud Secret Manager API to store and retrieve secrets.
This quickstart shows you how to use Secret Manager API to store and retrieve API keys using ABAP SDK and use it to call Translate AI API.
The configuration steps in this quickstart guide assumes that the SAP system is hosted on Google cloud platform. If needed you can refer to this blog, to get the ABAP Platform Trial 1909 running on Google Cloud Platform within 30 mins.
To learn more about authentication step for SAP system hosted outside Google Cloud Platform, please refer to the documentation “Authenticate using API key stored in Secret Manager”.
Before you begin
Before you run this quickstart, make sure that you or your administrators have completed the following prerequisites:
- You have a Google Cloud account and project. Please keep the Project Id with you which is available in Google Cloud Dashboard.
- Billing is enabled for your project. See how to confirm that billing is enabled for your project.
Create a API Key and Save in Secret Manager
Enable required services
- Click Activate Cloud Shell at the top of the Google Cloud console to Open Cloud Shell. We will use the Cloud Shell to run all our commands.
Enable Google Service to be accessed by ABAP SDK (Replace the string PROJECT_ID with your Google Cloud project Id)
gcloud auth login
gcloud config set project PROJECT_ID
gcloud services enable iamcredentials.googleapis.com
gcloud services enable secretmanager.googleapis.comCreate Service Account
Create a Service Account to be used by ABAP SDK and assign it the Secret Manager Secret Accessor role. (Replace the string PROJECT_ID with your Google Cloud project Id)
gcloud iam service-accounts create abap-sdk-qs \
--description="ABAP SDK Quick Start" \
--display-name="ABAP SDK Quick Start"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:abap-sdk-qs@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor" \
--condition="None"Create a API Key
To create API keys using the Google Cloud console, perform the following steps:
- In the Google Cloud console, go to the Credentials page: “Go to Credentials”
- Click Create Credentials and select API key from the menu.
- The API key created dialog displays the API key string. Copy your key string and keep it secure. You need this API key to configure authentication in SAP.
- By default, API keys are unrestricted. We recommended that you restrict API keys by selecting the APIs to which this API key can be used. For now please restrict by selecting “Cloud Translation API”.
Create a Secret to save the API Key
In the Google Cloud console, create a secret with the name TEST_SECRET, and store the API key as the latest version.
Go to Secret manager
For information about how to create a secret, see Create a secret.
The ABAP SDK for Google Cloud by default retrieves only the latest version of a secret.
Configure client key for Secret Manager access
The below configuration will be used by the ABAP SDK to connect to the secret manager API.
- Goto SPRO > ABAP SDK for Google Cloud > Basic Settings > Configure Client Key and add the following new entry. (Replace the string
PROJECT_IDwith your Google Cloud project Id)
Google Cloud Key Name:CLIENT_KEY_SM
Google Cloud Service Account Name:abap-sdk-qs@
PROJECT_ID.iam.gserviceaccount.comGoogle Cloud Scope:https://www.googleapis.com/auth/cloud-platform
Google Cloud Project Identifier:
PROJECT_IDAuthorization Class:/GOOG/CL_AUTH_GOOGLE
NOTE Leave the other fields blank.
- Validate the configuration ‘CLIENT_KEY_SM’ using SPRO > ABAP SDK for Google Cloud > Utilities > Validate Authentication Configuration.
Configure client key for the Tanslate API call using API Key
The below configuration will be used by the ABAP SDK to 1) connect to the secret manager API, 2) retrieve the API key stored in the secret 3) connect to the Translate AI API.
- Goto SPRO > ABAP SDK for Google Cloud > Basic Settings > Configure Client Key and add the following new entry. (Replace the string
PROJECT_IDwith your Google Cloud project Id)
Google Cloud Key Name:DEMO_TRANSLATE
Google Cloud Service Account Name:Leave this field blank.
Google Cloud Scope:https://www.googleapis.com/auth/cloud-platform
Google Cloud Project Identifier:PROJECT_ID
Authorization Class:/GOOG/CL_AUTH_API_KEY_SM
Authorization Parameter 1:CLIENT_KEY_SM → This is the client key that you’ve created for Secret Manager access
Authorization Parameter 2:TEST_SECRET → This is the ID of the secret, which has the API key storedNOTE Leave the other fields blank
- Validate the configuration ‘DEMO_TRANSLATE’ using SPRO > ABAP SDK for Google Cloud > Utilities > Validate Authentication Configuration.
The SDK configuration is now complete, and API keys can be stored and retrieved. These keys can be used to call compatible APIs, such as Cloud Translation and Google Maps API like Address Validation, Directions, Distance Matrix, Elevation, Geocoding, Places, Roads, and Time Zones.
We can now proceed with a sample invocation of the Cloud Translation v2 API using the API key configuration that is retrieved from Secret Manager.
Create a program to translate a text
- Create a program in SE38 and paste the linked code (also pasted below), which translates the English sentence to German language.
- Note: The Client key used in the program is
DEMO_TRANSLATEwhich will be used by the SDK to retrieve the API key stored in the Secret Manager.
REPORT zr_qs_translate_texts.
" data declarations
data: lv_text type string,
lv_msg type string,
lv_ret_code type i,
lv_err_text type string,
ls_err_resp type /goog/err_resp,
ls_input type /goog/cl_translation_v2=>ty_006,
ls_output type /goog/cl_translation_v2=>ty_007,
lt_translations type /goog/cl_translation_v2=>ty_translations,
ls_texts type /goog/cl_translation_v2=>ty_008,
lo_translate type ref to /goog/cl_translation_v2,
lo_exception type ref to /goog/cx_sdk.
TRY.
" instantiate api client stub
create object lo_translate
exporting
iv_key_name="DEMO_TRANSLATE".
" pass the text to be translated to the required parameter
lv_text="The Earth is the third planet from the Sun".
APPEND lv_text TO ls_input-q.
ls_input-format="text".
ls_input-source="en".
ls_input-target="de".
" call the api method to translate text
call method lo_translate->translate_translations
exporting
is_input = ls_input
importing
es_output = ls_output
ev_ret_code = lv_ret_code
ev_err_text = lv_err_text
es_err_resp = ls_err_resp.
IF lo_translate->is_success( lv_ret_code ) = abap_true.
lt_translations = ls_output-data.
READ TABLE lt_translations-translations INTO ls_texts INDEX 1.
WRITE: / 'Translation Successful'.
WRITE: / 'Translated Text is: ', ls_texts-translated_text.
ENDIF.
" close the http connection
lo_translate->close( ).
CATCH /goog/cx_sdk INTO lo_exception.
" write code here to handle exceptions
endtry.Program to retrieve the secret
Referring to the above example, you can use Secret Manager to store any secrets relevant for your requirement. The SDK can be used to retrieve the secret directly from the secret manager service. The reference code to access a secret version available in this link. Try running the code with Client Key as CLIENT_KEY_SM and Secret Id as TEST_SECRET to retrieve the stored secret.
Example Input:
"Open HTTP Connection
DATA(lo_sm) = NEW /goog/cl_secretmgr_v1( iv_key_name="CLIENT_KEY_SM" ).
"Populate relevant parameters for the API call
lv_p_projects_id = lo_sm->gv_project_id.
lv_p_secrets_id = 'TEST_SECRET.
lv_p_versions_id = 'latest'.
"Call the API method
CALL METHOD lo_sm->access_versions ....
...Conclusion and Next Steps
Hope the article was able to give you a quick insight on using Secret Manager with ABAP SDK for Google Cloud.
Ready to start using ABAP SDK for Google Cloud?
Bookmark What’s new with the ABAP SDK for Google Cloud for the latest announcements and follow installation and configuration instructions.
Check out these blog posts to get started with ABAP SDK for Google Cloud
- This blog, explains how you can evaluate ABAP SDK for Google Cloud using ABAP Platform Trial 1909 on Google Cloud Platform.
- Read this blog from Devesh Singh on how a business process such as Sales Order entry in SAP can be automated using ABAP SDK for Google Cloud.
- This blog by Ajith Urimajalu is an excellent start to understand how BigQuery ML which is a powerful machine learning service that lets you build and deploy models using SQL queries. you can now be accessed with ABAP SDK for Google Cloud.
- Also check out Kriti Sugandha blog post about ABAP SDK Code Wizard , one of the many Engineering excellence delivered as part of ABAP SDK.
Happy Learning! and Happy Innovating!
Be the first to comment