Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PostgreSQL on SAP BTP - Request an 'admin' user access valid for 'x' days

antoniojmnunes
Product and Topic Expert
Product and Topic Expert
a week ago

The PostgreSQL on SAP BTP, hyperscaler option provides a way to directly consume the PostgreSQL service provided by the infrastructure providers such as AWS, Azure, GCP and Alicloud. 

The service is part of SAP BTP portfolio that aims to simplified development, the service is part of BTP Backing Services and provides pre-built components and infrastructure that developers can easily integrate into their applications. This simplifies the development process by reducing the need to build complex functionalities from scratch. Developers can focus on implementing core features and business logic instead of spending time on low-level infrastructure concerns.

To be able to run some activities, for example related to monitoring your PostgreSQL instance you need to access the database using credentials with admin rights type. SAP provides a way for customers to request a temporary user access (valid between 1-29 days) to be able to run some monitoring and admin tasks.

This extension API allows a user access request with special authorizations valid for a maximum of 29 days. The access will be provided via the user ‘instance_monitoring_admin”.  

  • Extension API: /postgresql-db/instances/:id/monitoring-admin 
    API url usage:  https://{base-url}/v1/postgresql-db/instances/{instance-id}/monitoring-admin 

This extension API allows a user access request with special authorizations valid for a maximum of 29 days. The access will be provided via the user ‘instance_monitoring_admin”, follow the below step-by-step example to know how to request the user, using the extension API. 

[Step-by-Step example] 

1️⃣ Request a ‘bearer’ token to authenticate the user request

When requesting the user access, you need to add a bearer token to the API call for the authorization. Login to the BTP Cloud Foundry Environment using the API endpoint.

cf login -a https://api.cf.sap.hana.ondemand.com/

After authentication (using your registered e-mail account) you will be prompted to select the organization and space where you have deployed your instance. In case your are not prompted with the choice, use the below cf command to set the target organization and space.

cf target -o <org> -s <space>

Retrieve a ‘bearer’ token by running the below command.

cf oauth-token

 See below an example of the output of the above commands. Picture 1.png

⚠️Copy the token to a safe place, you will need it for authentication in the API call, when requesting the user.

2️⃣ Form the URL for the API call 

You can retrieve the server API base URL from service key credentials file, look for the api_server parameter. If you can’t find the parameter in the service key file, please generate a new service key as the parameter was added probably after you have generated the current service key, see below screen shot.

picture_2.png

3️⃣  Configure the PUT request using a RESP API client

We choose to use for our example the Postman REST Client for Visual Code, but you can choose any other tool or method for sending the PUT request. Replace parameter {id} with your instance ID.

Below the complete API URL for our scenario, using the retrieved server API URL and our instance ID 

https://api-backing-services.eu10-canary.data.services.cloud.sap/v1/postgresql-db/instances/fab5bd81-9292-4b6a-92ee-544d8175482a/monitoring-admin

 We will request a user with the maximum validity by using the below json payload.

{"time_to_live": 29}

Picture 3.png

In the authorization configuration, choose the type ’Bearer Token’ and add the token that you have requested before.

Picture 4.png

⚠️Remove the word bearer and the space in the begin before paste the token.

4️⃣ Send the PUT request using a RESP API client

After sending the PUT request you will receive a response with the credentials (password and the validity confirmation) for the user access.

Picture 5.png

Another way is to use, for example, the command line tool cURL.
In the code (snippet) section of Postman you can easily check the full command line to run the same PUT request, using the cURL command line.

Picture 6.png

Please refer always to the product official documentation, regarding extensibility APIs, at SAP Help Portal .

Thanks for your reading,

SAP BTP Backing Services – Product Management

1 Comment
Labels in this area
Popular Blog Posts