Many API’s which are part of Google Library use API key as a credential for execution. As best practice, we should not embed credentials directly in code or application source tree. The ideal way would be to store them centrally with access restricted to administrators. Storing centrally also means that the application using these credentials need to have an easy way to retrieve them for their functioning.
Google Cloud Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.
ABAP SDK provides an implicit way to connect and use Google Cloud Secret Manager API to store and retrieve secrets.
This quickstart shows you how to use Secret Manager API to store and retrieve API keys using ABAP SDK and use it to call Translate AI API.
The configuration steps in this quickstart guide assumes that the SAP system is hosted on Google cloud platform. If needed you can refer to this blog, to get the ABAP Platform Trial 1909 running on Google Cloud Platform within 30 mins.
To learn more about authentication step for SAP system hosted outside Google Cloud Platform, please refer to the documentation “Authenticate using API key stored in Secret Manager”.
Before you run this quickstart, make sure that you or your administrators have completed the following prerequisites:
Enable Google Service to be accessed by ABAP SDK (Replace the string PROJECT_ID
with your Google Cloud project Id)
gcloud auth login
gcloud config set project PROJECT_ID
gcloud services enable iamcredentials.googleapis.com
gcloud services enable secretmanager.googleapis.com
Create a Service Account to be used by ABAP SDK and assign it the Secret Manager Secret Accessor role. (Replace the string PROJECT_ID
with your Google Cloud project Id)
gcloud iam service-accounts create abap-sdk-qs \
--description="ABAP SDK Quick Start" \
--display-name="ABAP SDK Quick Start"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:abap-sdk-qs@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor" \
--condition="None"
To create API keys using the Google Cloud console, perform the following steps:
In the Google Cloud console, create a secret with the name TEST_SECRET
, and store the API key as the latest version.
Go to Secret manager
For information about how to create a secret, see Create a secret.
The ABAP SDK for Google Cloud by default retrieves only the latest version of a secret.
The below configuration will be used by the ABAP SDK to connect to the secret manager API.
PROJECT_ID
with your Google Cloud project Id)Google Cloud Key Name:CLIENT_KEY_SM
Google Cloud Service Account Name:abap-sdk-qs@PROJECT_ID
.iam.gserviceaccount.com
Google Cloud Scope:https://www.googleapis.com/auth/cloud-platform
Google Cloud Project Identifier:PROJECT_ID
Authorization Class:/GOOG/CL_AUTH_GOOGLE
NOTE Leave the other fields blank.
The below configuration will be used by the ABAP SDK to 1) connect to the secret manager API, 2) retrieve the API key stored in the secret 3) connect to the Translate AI API.
PROJECT_ID
with your Google Cloud project Id)Google Cloud Key Name:DEMO_TRANSLATE
Google Cloud Service Account Name:Leave this field blank.
Google Cloud Scope:https://www.googleapis.com/auth/cloud-platform
Google Cloud Project Identifier:PROJECT_ID
Authorization Class:/GOOG/CL_AUTH_API_KEY_SM
Authorization Parameter 1:CLIENT_KEY_SM → This is the client key that you've created for Secret Manager access
Authorization Parameter 2:TEST_SECRET → This is the ID of the secret, which has the API key stored
NOTE Leave the other fields blank
The SDK configuration is now complete, and API keys can be stored and retrieved. These keys can be used to call compatible APIs, such as Cloud Translation and Google Maps API like Address Validation, Directions, Distance Matrix, Elevation, Geocoding, Places, Roads, and Time Zones.
We can now proceed with a sample invocation of the Cloud Translation v2 API using the API key configuration that is retrieved from Secret Manager.
DEMO_TRANSLATE
which will be used by the SDK to retrieve the API key stored in the Secret Manager.REPORT zr_qs_translate_texts.
" data declarations
data: lv_text type string,
lv_msg type string,
lv_ret_code type i,
lv_err_text type string,
ls_err_resp type /goog/err_resp,
ls_input type /goog/cl_translation_v2=>ty_006,
ls_output type /goog/cl_translation_v2=>ty_007,
lt_translations type /goog/cl_translation_v2=>ty_translations,
ls_texts type /goog/cl_translation_v2=>ty_008,
lo_translate type ref to /goog/cl_translation_v2,
lo_exception type ref to /goog/cx_sdk.
TRY.
" instantiate api client stub
create object lo_translate
exporting
iv_key_name = 'DEMO_TRANSLATE'.
" pass the text to be translated to the required parameter
lv_text = 'The Earth is the third planet from the Sun'.
APPEND lv_text TO ls_input-q.
ls_input-format = 'text'.
ls_input-source = 'en'.
ls_input-target = 'de'.
" call the api method to translate text
call method lo_translate->translate_translations
exporting
is_input = ls_input
importing
es_output = ls_output
ev_ret_code = lv_ret_code
ev_err_text = lv_err_text
es_err_resp = ls_err_resp.
IF lo_translate->is_success( lv_ret_code ) = abap_true.
lt_translations = ls_output-data.
READ TABLE lt_translations-translations INTO ls_texts INDEX 1.
WRITE: / 'Translation Successful'.
WRITE: / 'Translated Text is: ', ls_texts-translated_text.
ENDIF.
" close the http connection
lo_translate->close( ).
CATCH /goog/cx_sdk INTO lo_exception.
" write code here to handle exceptions
endtry.
Referring to the above example, you can use Secret Manager to store any secrets relevant for your requirement. The SDK can be used to retrieve the secret directly from the secret manager service. The reference code to access a secret version available in this link. Try running the code with Client Key as CLIENT_KEY_SM
and Secret Id as TEST_SECRET
to retrieve the stored secret.
"Open HTTP Connection
DATA(lo_sm) = NEW /goog/cl_secretmgr_v1( iv_key_name = 'CLIENT_KEY_SM' ).
"Populate relevant parameters for the API call
lv_p_projects_id = lo_sm->gv_project_id.
lv_p_secrets_id = 'TEST_SECRET.
lv_p_versions_id = 'latest'.
"Call the API method
CALL METHOD lo_sm->access_versions ....
...
Hope the article was able to give you a quick insight on using Secret Manager with ABAP SDK for Google Cloud.
Ready to start using ABAP SDK for Google Cloud?
Bookmark What’s new with the ABAP SDK for Google Cloud for the latest announcements and follow installation and configuration instructions.
Check out these blog posts to get started with ABAP SDK for Google Cloud
Happy Learning! and Happy Innovating!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 |