Getting started with AWS SDK for SAP ABAP

This section describes how to get started with AWS SDK for SAP ABAP. It includes information about installing the SDK, performing basic configuration, and creating a "Hello world" code example that translates a phrase from one language to another. If you are new to AWS SDK, we recommend performing these steps in a sandbox system.

Step 1: Prepare your AWS account

Before you being this tutorial, you must have an active AWS account. You need an AWS account even if your SAP system is hosted on-premises or with another cloud provider.

If your SAP system is running on AWS cloud, then you will be making calls to AWS services in your AWS account.

IAM role for SAP users

• Create an IAM role with the instructions provided in the AWS Identity and Access Management User Guide. For more information, see Creating a role to delegate permissions to an AWS service. Note the ARN of the IAM role for later use.

• Select Amazon EC2 as the use case.

• Use SapDemoTranslate as the name of the role.

• Attach TranslateReadOnly profile to the role.

• The role must have the following entities to enable the SAP system to assume the role. Replace "111122223333" with your AWS account number.

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "sts:AssumeRole"
              ],
              "Principal": { "AWS": "111122223333" }
          }
      ]
  }
  

  Here, any principal from the AWS account "111122223333" can assume the role. This a broad permission that is suitable for proof-of-concept. You can use a narrower principal for production, such as the following examples. For more details, see Best practices for IAM Security.

  • a specific user – when the SAP system is using SSF-encrypted credentials from an on-premises SAP system

  • a specific role – when the SAP system is on Amazon EC2 and there is an instance profile

  • Amazon EC2 – when the SAP system is on Amazon EC2 and there is no instance profile

Authentication

Authentication is dependent on where your SAP system is hosted.

Locations

• On AWS cloud
• On-premises or other cloud

On AWS cloud

Ensure that the Amazon EC2 instance on which your SAP system is running has an instance profile with the following permissions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::111122223333:role/SapDemoTranslate"
        }
    ]
}

Add the ARN you noted in the previous step.

This permission enables your SAP system to assume the SapDemoTranslate role on behalf of the ABAP user.

On-premises or other cloud

1. Create an IAM user. For more information, see Creating IAM users (console).

2. Use SapDemoSID as the name of the IAM user. SID is the system ID of your SAP system.

3. Assign SapDemoTranslate role to this user.

Note the access_key and secret_access_key. These credentials will need to be provided to the SAP administrator to be encrypted in the SAP system.

Step 2: Technical setup

This step consists of importing and configuring the transports.

Topics

• Import
• Configure

Import

Import AWS SDK for SAP ABAP transports in your SAP system. The transports are client-independent and can be imported into any client.

Configure

Once the import is complete, run the /AWS1/IMG transaction to open the Implementation Guide for AWS SDK for SAP ABAP. To run this transaction, input /n/AWS1/IMG in the command bar of your SAP system and then, select Enter.

• Go to Technical Prerequisites.

  • Review the recommended profile parameter and SSL certificate settings.

• Go to Global Settings → Configure Scenarios.

  • Change the settings as per the recommendations in Global settings.

• Go to Global Settings → Technical Settings.

  • Change the settings as per the recommendations in Global settings.

• Go to Runtime Settings → Log And Trace.

  • Select New Entries.

    • Trace level: No Trace.

    • Maximum Dump Lines: 100.

    • OPT-IN: enh telemetry: leave blank.

  • Select Save.

• Go to Runtime Settings → Active Scenario.

  • Under New Scenario, select DEFAULT.

  • Select Commit Scenario Change.

  • Accept the prompt.

Prerequisites for On-Premises Systems

If your SAP System is running on-premises or in another cloud, then the credentials must be stored in your SAP database. The credentials are encrypted using SAP SSF and require a configured cryptographic library, such as SAP’s CommonCryptoLib.

The steps for configuring SSF for AWS SDK for SAP ABAP are described in the /AWS1/IMG transaction.

Note

The preceding prerequisite does not apply if your SAP system is running on Amazon EC2. SAP systems running on Amazon EC2 retrieve short-lived, automatically rotating credentials from the Amazon EC2 instance metadata.

Step 3: Functional setup

Run transaction /AWS1/IMG (enter /n/AWS1/IMG in the command bar and select Enter) to open the implementation guide for AWS SDK.

• Go to Application Configuration → SDK Profile.

  • Select New Entries.

    • Profile: DEMO.

    • Description: Demo profile.

    • Select Save.

• Highlight the entry that you created and click on the Authentication And Settings tree branch.

  • Select New Entries.

    • SID: the system ID of the SAP system you are currently in.

    • Client: the client of the SAP system you are currently in.

    • Scenario ID: drop down to find the DEFAULT scenario created by your Basis administrator.

    • AWS region: enter the AWS Region you want to make calls to. If your SAP system is running in AWS, enter the AWS Region it is running in.

    • Authentication Method:

      • Select Instance Role via Metadata if your SAP system is running on Amazon EC2.

      • Select Credentials from SSF Storage if your SAP system is running on-premises or in another cloud.

        • Select Set Credentials.

        • Enter the Access Key ID and Secret Access Key you created in the previous step.

  • Leave Disable IAM roles blank.

  • Select Save.

• Click on the IAM Role Mapping tree branch.

  • Select New Entries.

    • Enter Sequence number: 010.

    • Enter Logical IAM role: TESTUSER.

    • Enter IAM Role ARN: enter the arn:aws: of the IAM role containing the TranslateReadOnly policy created in the previous step.

Step 4: Authorize SAP Users

SAP users are not authorized to use AWS functionality by default. The users must be explicitly authorized using SAP authorizations.

Create a PFCG role

• Go to transaction PFCG

• Enter role name ZAWS_SDK_DEMO_TESTUSER and select Create Single Role.

  • Description: Role for demo AWS SDK functionality.

  • Go to the Authorizations tab.

  • Select Change Authorization Data and accept the informational pop-up.

  • At the Choose Template pop-up, select Do not select templates.

  • Select Add Manually from the toolbar.

  • Add the following authorization objects:

    • /AWS1/LROL

    • /AWS1/SESS

  • In the authorization tree, enter:

    • Profile for accessing AWS APIs: DEMO

    • Logical IAM Role: TESTUSER

  • Select Save.

  • Select Generate.

  • Select Back.

  • Select Save to save the role.

Assign the PFCG role to SAP users

Any user who has the ZAWS_SDK_DEMO_TESTUSER role assigned will be authorized to use AWS SDK functions with the settings configured in DEMO SDK profile. The authorized user will also assume the IAM role mapped to the TESTUSER logical IAM role in that profile.

• Run transaction SU01.

  • Enter the user ID of an SAP user who will be testing AWS SDK functionality.

  • Select Change.

  • Go to the Roles tab and assign ZAWS_SDK_DEMO_TESTUSER role to the user.

  • Select Save.

Step 5: Write the code

• Open transaction SE38.

  • Enter ZDEMO_TRANSLATE_HELLO_WORLD as the program name.

  • Select Create.

  • Enter AWS SDK Hello World In Any Language as the title.

  • Type: choose Executable Program.

  • Status: choose Test Program.

  • Select Save.

  • Save the program as a Local Object.

Add the following code.

*&---------------------------------------------------------------------*
*& Report  ZAWS1_DEMO_XL8_SIMPLE
*&
*&---------------------------------------------------------------------*
*& A simple demo of language translation with AWS Translate
*&
*&---------------------------------------------------------------------*
REPORT zaws1_demo_xl8_simple.

START-OF-SELECTION.
  PARAMETERS pv_text TYPE /aws1/xl8boundedlengthstring DEFAULT 'Hello, World' OBLIGATORY.

  PARAMETERS pv_lang1 TYPE languageiso DEFAULT 'EN' OBLIGATORY.
  PARAMETERS pv_lang2 TYPE languageiso DEFAULT 'ES' OBLIGATORY.

  TRY.
      DATA(go_session) = /aws1/cl_rt_session_aws=>create( 'DEMO' ).
      DATA(go_xl8)     = /aws1/cl_xl8_factory=>create( go_session ).
      DATA(lo_output) = go_xl8->translatetext(
           iv_text               = pv_text
           iv_sourcelanguagecode = CONV /aws1/xl8languagecodestring( pv_lang1 )
           iv_targetlanguagecode = CONV /aws1/xl8languagecodestring( pv_lang2 )
      ).

      WRITE: / 'Source Phrase: ', pv_text.
      WRITE: / 'Target Phrase: ', lo_output->get_translatedtext( ).
    CATCH /aws1/cx_xl8unsuppedlanguage00 INTO DATA(lo_lang).
      WRITE: / 'ERROR' COLOR COL_NEGATIVE,
               'Cannot translate from',
               lo_lang->sourcelanguagecode,
               'to',
               lo_lang->targetlanguagecode.
    CATCH cx_root INTO DATA(lo_root).
      WRITE: / 'ERROR' COLOR COL_NEGATIVE, lo_root->get_text( ).
  ENDTRY.

Step 6: Run the application

Run the application in SE38. If successful, the following will be your output.

Source Phrase: Hello, World
Target Phrase: Hola, mundo

If you are missing authorizations, configuration, or Basis prerequisites, you might get an error message. See the following example.

ERROR Could not find configuration under profile DEMO with 
scenario DEFAULT for SBX:001

If your SAP role authorizes you to use an SDK profile and be mapped to a logical IAM role while your IAM permissions are not configured for the SAP system to assume the IAM role, the following will be your output.

ERROR Could not assume role arn:aws:iam::111122223333:role/SapDemoTranslate

In this case, review your IAM permissions and trust configuration on the IAM roles and/or users defined in Step 1: Prepare your AWS account.