Skip to content

API for IAM Roles Anywhere

ABAP Interface /AWS1/IF_RLA

The "TLA" is a Three Letter Abbreviation that appears in ABAP class names, data dictionary objects and other ABAP objects throughout the AWS SDK for SAP ABAP. The TLA for IAM Roles Anywhere is RLA. This TLA helps squeeze ABAP objects into the 30-character length limit of the ABAP data dictionary.


To install the AWS SDK for SAP ABAP, import the Core transport, along with the transport for the RolesAnywhere module and other API modules you are interested in. A few modules are included in the Core transport itself. For more information, see the Developer Guide guide.

About The Service

Identity and Access Management Roles Anywhere provides a secure way for your workloads such as servers, containers, and applications that run outside of Amazon Web Services to obtain temporary Amazon Web Services credentials. Your workloads can use the same IAM policies and roles you have for native Amazon Web Services applications to access Amazon Web Services resources. Using IAM Roles Anywhere eliminates the need to manage long-term credentials for workloads running outside of Amazon Web Services.

To use IAM Roles Anywhere, your workloads must use X.509 certificates issued by their certificate authority (CA). You register the CA with IAM Roles Anywhere as a trust anchor to establish trust between your public key infrastructure (PKI) and IAM Roles Anywhere. If you don't manage your own PKI system, you can use Private Certificate Authority to create a CA and then use that to establish trust with IAM Roles Anywhere.

This guide describes the IAM Roles Anywhere operations that you can call programmatically. For more information about IAM Roles Anywhere, see the IAM Roles Anywhere User Guide.

Using the SDK

In your code, create a client using the SDK module for IAM Roles Anywhere, which is created with factory method /AWS1/CL_RLA_FACTORY=>create(). In this example we will assume you have configured an SDK profile in transaction /AWS1/IMG called ZFINANCE.

DATA(go_session)   = /aws1/cl_rt_session_aws=>create( 'ZFINANCE' ).
DATA(go_rla)       = /aws1/cl_rla_factory=>create( go_session ).

Your variable go_rla is an instance of /AWS1/IF_RLA, and all of the operations in the IAM Roles Anywhere service are accessed by calling methods in /AWS1/IF_RLA.

API Operations

For an overview of ABAP method calls corresponding to API operations in IAM Roles Anywhere, see the Operation List.

Factory Method

/AWS1/CL_RLA_FACTORY=>create( )

Creates an object of type /AWS1/IF_RLA.


Optional arguments:







/AWS1/IF_RLA represents the ABAP client for the RolesAnywhere service, representing each operation as a method call. For more information see the API Page page.

Configuring Programmatically

DATA(lo_config) = DATA(go_rla)->get_config( ).

lo_config is a variable of type /AWS1/CL_RLA_CONFIG. See the documentation for /AWS1/CL_RLA_CONFIG for details on the settings that can be configured.


Paginators for IAM Roles Anywhere can be created via get_paginator() which returns a paginator object of type /AWS1/IF_RLA_PAGINATOR. The operation method that is being paginated is called using the paginator object, which accepts any necessary parameters to provide to the underlying API operation. This returns an iterator object which can be used to iterate over paginated results using has_next() and get_next() methods.

Details about the paginator methods available for service IAM Roles Anywhere can be found in interface /AWS1/IF_RLA_PAGINATOR.

Level 2 ("L2") Functionality

This module includes higher-level Level 2 or "L2" functions beyond the basic web API. The L2 functionality builds on top of the basic API by providing convenience functions to simplify the use of the service for ABAP programmers. The L2 functionality does not replace the lower-level API functions but may be useful in simplifying ABAP code.

The L2 client can be created using the methods of the factory class /aws1/cl_rla_l2_factory. See the documentation of that class for more details.