Getting started with AWS SDK for SAP ABAP - AWS SDK for SAP ABAP

Getting started with AWS SDK for SAP ABAP

This section describes how to get started with AWS SDK for SAP ABAP. It includes information about installing the SDK, performing basic configuration, and creating a Hello World code example that translates a phrase from one language to another. If you are new to AWS SDK, we recommend performing these steps in a sandbox environment.

Step 1: Prepare your AWS account

To get started with SDK for SAP ABAP, you must have an active AWS account . You need an AWS account even if your SAP system is hosted on-premises or with another cloud provider.

If your SAP system is running on AWS Cloud, then you will be making calls to AWS services in your AWS account.

IAM role for SAP users

  • Create an IAM role with the instructions provided in the AWS Identity and Access Management User Guide. For more information, see Creating a role to delegate permissions to an AWS service. Note the Amazon Resource Name (ARN) of the IAM role for later use.

  • Select Amazon EC2 as the use case.

  • Use SapDemoTranslate as the name of the role.

  • Attach TranslateReadOnly profile to the role.

  • The role must have the following entities to enable the SAP system to assume the role. Replace "111122223333" with your AWS account number.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "AWS": "111122223333" } } ] }

    This example shows that any principal from the AWS account "111122223333" can assume the role. This is a broad permission that is suitable for proof-of-concept. You can use a narrower principal for production, such as the following examples.

    • A specific user – when the SAP system is using SSF-encrypted credentials from an on-premises SAP system.

    • A specific role – when the SAP system is on Amazon EC2 and there is an instance profile.

    • Amazon EC2 – when the SAP system is on Amazon EC2 and there is no instance profile.

For more information, see Best practices for IAM Security.


Authentication depends on where your SAP system is hosted.

On AWS Cloud

Ensure that the EC2 instance on which your SAP system is running has an instance profile with the following permissions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/SapDemoTranslate" } ] }

Add the ARN that you noted in the previous step.

This permission enables your SAP system to assume the SapDemoTranslate role on behalf of the ABAP user.

On-premises or other cloud

If your SAP system is located on-premises or on other cloud, use the following steps to establish a connection.

  1. Create an IAM user. For more information, see Creating IAM users (console).

  2. Use SapDemoSID as the name of the IAM user. SID is the system ID of your SAP system.

  3. Assign SapDemoTranslate role to this user.

Note the access_key and secret_access_key. You must provide these credentials must to the SAP administrator to be encrypted in the SAP system.

Step 2: Set up transports

In this part of the setup, you import and configure the transports.


Import SDK for SAP ABAP transports in your SAP system. You can import the transports into any client.


When the import is complete, run the /AWS1/IMG transaction to open the Implementation Guide for SDK for SAP ABAP. To run this transaction, enter /n/AWS1/IMG in the command bar of your SAP system, and then choose Enter.

  • Go to Technical Prerequisites.

    • Review the recommended profile parameter and SSL certificate settings.

  • Go to Global SettingsConfigure Scenarios.

    • Change the settings, according to the recommendations in Global settings.

  • Go to Global SettingsTechnical Settings.

    • Change the settings, according to the recommendations in Global settings.

  • Go to Runtime SettingsLog And Trace.

    • Select New Entries.

      • Trace level: No Trace.

      • Maximum Dump Lines: 100.

      • OPT-IN: enh telemetry: Keep this blank.

    • Select Save.

  • Go to Runtime SettingsActive Scenario.

    • Under New Scenario, select DEFAULT.

    • Select Commit Scenario Change.

    • Accept the prompt.

Prerequisites for On-Premises Systems

If your SAP system is running on-premises or in another cloud, then the credentials must be stored in your SAP database. The credentials are encrypted using SAP SSF and require a configured cryptographic library, such as SAP’s CommonCryptoLib.

The steps for configuring SSF for SDK for SAP ABAP are described in the /AWS1/IMG transaction.


The preceding prerequisite does not apply if your SAP system is running on Amazon EC2. SAP systems running on Amazon EC2 retrieve short-lived, automatically rotating credentials from the Amazon EC2 instance metadata.

Step 3: Functional setup

Run transaction /AWS1/IMG (enter /n/AWS1/IMG in the command bar, and choose Enter) to open the implementation guide for AWS SDK.

  • Go to Application ConfigurationSDK Profile.

    • Select New Entries.

      • Profile: DEMO.

      • DescriptionDemo profile.

      • Select Save.

  • Highlight the entry that you created and click on the Authentication And Settings tree branch.

    • Select New Entries.

      • SID: The system ID of the SAP system that you are currently in.

      • Client: The client of the SAP system that you are currently in.

      • Scenario ID: The dropdown list where you'll find the DEFAULT scenario created by your Basis administrator.

      • AWS Region: enter the AWS Region that you want to make calls to. If your SAP system is running in AWS, enter the AWS Region that it is running in.

      • Authentication Method:

        • Select Instance Role via Metadata if your SAP system is running on Amazon EC2.

        • Select Credentials from SSF Storage if your SAP system is running on-premises or in another cloud.

          • Select Set Credentials.

          • Enter the Access Key ID and Secret Access Key that you created in the previous step.

    • Keep Disable IAM roles blank.

    • Select Save.

  • Click on the IAM Role Mapping tree branch.

    • Select New Entries.

      • Enter Sequence number: 010.

      • Enter Logical IAM role: TESTUSER.

      • Enter IAM Role ARN: enter the arn:aws: of the IAM role containing the TranslateReadOnly policy created in the previous step.

Step 4: Authorize SAP Users

SAP users are not authorized to use AWS functionality by default. The users must be explicitly authorized using SAP authorizations.

Create a PFCG role

  • Go to transaction PFCG

  • Enter the role name ZAWS_SDK_DEMO_TESTUSER and select Create Single Role.

    • Description: Role for demo AWS SDK functionality.

    • Go to the Authorizations tab.

    • Select Change Authorization Data and accept the informational pop-up.

    • At the Choose Template pop-up, select Do not select templates.

    • Select Add Manually from the toolbar.

    • Add the following authorization objects:

      • /AWS1/LROL

      • /AWS1/SESS

    • In the authorization tree, enter:

      • Profile for accessing AWS APIs: DEMO

      • Logical IAM Role: TESTUSER

    • Select Save.

    • Select Generate.

    • Select Back.

    • Select Save to save the role.

Assign the PFCG role to SAP users

Any user who has the ZAWS_SDK_DEMO_TESTUSER role assigned will be authorized to use AWS SDK functions with the settings configured in DEMO SDK profile. The authorized user will also assume the IAM role mapped to the TESTUSER logical IAM role in that profile.

  • Run transaction SU01.

    • Enter the user ID of an SAP user who will be testing AWS SDK functionality.

    • Select Change.

    • Go to the Roles tab and assign ZAWS_SDK_DEMO_TESTUSER role to the user.

    • Select Save.

Step 5: Write the code

  • Open transaction SE38.

    • Enter ZDEMO_TRANSLATE_HELLO_WORLD as the program name.

    • Select Create.

    • Enter AWS SDK Hello World In Any Language as the title.

    • Type: choose Executable Program.

    • Status: choose Test Program.

    • Select Save.

    • Save the program as a Local Object.

Add the following code.

*&---------------------------------------------------------------------* *& Report  ZAWS1_DEMO_XL8_SIMPLE *& *&---------------------------------------------------------------------* *& A simple demo of language translation with AWS Translate *& *&---------------------------------------------------------------------* REPORT zaws1_demo_xl8_simple. START-OF-SELECTION.   PARAMETERS pv_text TYPE /aws1/xl8boundedlengthstring DEFAULT 'Hello, World' OBLIGATORY.   PARAMETERS pv_lang1 TYPE languageiso DEFAULT 'EN' OBLIGATORY.   PARAMETERS pv_lang2 TYPE languageiso DEFAULT 'ES' OBLIGATORY.   TRY.       DATA(go_session) = /aws1/cl_rt_session_aws=>create( 'DEMO' ).       DATA(go_xl8)     = /aws1/cl_xl8_factory=>create( go_session ).       DATA(lo_output) = go_xl8->translatetext(            iv_text               = pv_text            iv_sourcelanguagecode = CONV /aws1/xl8languagecodestring( pv_lang1 )            iv_targetlanguagecode = CONV /aws1/xl8languagecodestring( pv_lang2 )       ).       WRITE: / 'Source Phrase: ', pv_text.       WRITE: / 'Target Phrase: ', lo_output->get_translatedtext( ).     CATCH /aws1/cx_xl8unsuppedlanguage00 INTO DATA(lo_lang).       WRITE: / 'ERROR' COLOR COL_NEGATIVE,                'Cannot translate from',                lo_lang->sourcelanguagecode,                'to',                lo_lang->targetlanguagecode.     CATCH cx_root INTO DATA(lo_root).       WRITE: / 'ERROR' COLOR COL_NEGATIVE, lo_root->get_text( ).   ENDTRY.

Step 6: Run the application

Run the application in SE38. If successful, the following will be your output.

Source Phrase: Hello, World Target Phrase: Hola, mundo

If you are missing authorizations, configuration, or Basis prerequisites, you might get an error message. See the following example.

ERROR Could not find configuration under profile DEMO with scenario DEFAULT for SBX:001

If your SAP role authorizes you to use an SDK profile and map it to a logical IAM role while your IAM permissions are not configured for the SAP system to assume the IAM role, the following will be your output.

ERROR Could not assume role arn:aws:iam::111122223333:role/SapDemoTranslate

In this case, review your IAM permissions and trust configuration on the IAM roles, users, or both defined in Step 1: Prepare your AWS account.