Introduction: In this blog post, I will show you how to access and retrieve credentials stored in the SAP Credential Store using Python. This method is especially useful for securely managing API keys, passwords, and other sensitive information in your applications running on SAP Business Technology Platform (BTP).
What Is SAP Credential Store? The SAP Credential Store is a centralized repository where applications on SAP BTP can securely store and retrieve sensitive credentials like passwords, keys, and keyrings. These credentials are isolated by namespaces for enhanced security and management.
Setting up the Credential Store in Your BTP Trial Account
Go to your SAP BTP sub-account -> Instances and Subscriptions.
Click Next,
Click Create.
Click on “View Dashboard”
The SAP Credential Store segregates data logically by namespaces. Click on Create Namespace to start setting up your environment.
Select the password type for this example, although other credential types are available depending on your needs.
For Deployment of Basic Python App in Cloud Foundry refer the blog, Integrating a Python App with SAP BAS
Now, let’s bind the credential store to an application called summary
Navigate to the app -> Environment Variables
The VCAP_SERVICES environment variable holds essential configuration details for your credential store instance, including:
URL: The REST API endpoint for SAP Credential Store.Username and Password: For basic authentication.Client Private Key: Used to decrypt the response payload.
{
“VCAP_SERVICES”: {
“credstore”: [
{
“label”: “credstore”,
“provider”: null,
“plan”: “trial”,
“name”: “trial-cred”,
“tags”: [
“credstore”,
“securestore”,
“keystore”,
“credentials”
],
“instance_guid”: “0068a9eb-d4b5-4570-a7c8-fce5163eb95f”,
“instance_name”: “trial-cred”,
“binding_guid”: “630c1232-556c-442b-87a0-69400ffc36e2”,
“binding_name”: null,
“credentials”: {
“password”: “”,
“expires_at”: “2025-01-01T11:26:23.5Z”,
“encryption”: {
“client_private_key”: “”,
“server_public_key”: “”
},
“parameters”: {
“authorization”: {
“default_permissions”: [
“create”,
“decrypt”,
“delete”,
“encrypt”,
“info”,
“list”,
“namespaces”,
“read”,
“update”
]
},
“encryption”: {
“payload”: “enabled”,
“key”: {
“size”: 3072
}
},
“authentication”: {
“type”: “basic”
},
“access_policy”: {
“creds_api”: “public”,
“token_api”: “public”,
“kms_api”: “public”,
“encryption_api”: “public”
}
},
“url”: “https://credstore.cfapps.us10.hana.ondemand.com/api/v1/credentials”,
“username”: “”
},
“syslog_drain_url”: null,
“volume_mounts”: []
}
]
}
}
Python Code to Access the Credential Storage API
SAP Credential Store provides a RESTful API to create, read, and delete credentials. In this example, we’ll retrieve an API key for a weather service stored in the credential store and use it to access a sample weather API.
Code:
import os
from dotenv import load_dotenv
from jwcrypto import jwk, jwe
import requests
import json
load_dotenv()
namespace=”PasswordHub”
name=”Password”
cred_headers = {
“sapcp-credstore-namespace”: namespace
}
cred_params = {
“name”: name
}
vcap_services = os.getenv(‘VCAP_SERVICES’)
if vcap_services:
binding = json.loads(vcap_services)[‘credstore’][0][‘credentials’]
response = requests.get(url=f”{binding[‘url’]}/password”, headers=cred_headers, params=cred_params,
auth=(binding[‘username’], binding[‘password’]))
private_key_pem =f”—–BEGIN PRIVATE KEY—–n{binding[‘encryption’][‘client_private_key’]}n—–END PRIVATE KEY—–“
private_key = jwk.JWK.from_pem(private_key_pem.encode(‘utf-8’))
print(private_key)
jwetoken = jwe.JWE()
jwetoken.deserialize(response.text, key=private_key)
resp = jwetoken.payload.decode(‘utf-8’)
json_payload = json.loads(resp)
api_key_val = json_payload[‘value’]
print(f”Password stored in credential store for {cred_params[‘name’]} is :-“, api_key_val)
Requirements:
python-dotenv
jwcrypto
requests
Reference Link:
SAP Credential Store
Credential Management (Example: NodeJs)
Introduction: In this blog post, I will show you how to access and retrieve credentials stored in the SAP Credential Store using Python. This method is especially useful for securely managing API keys, passwords, and other sensitive information in your applications running on SAP Business Technology Platform (BTP).What Is SAP Credential Store? The SAP Credential Store is a centralized repository where applications on SAP BTP can securely store and retrieve sensitive credentials like passwords, keys, and keyrings. These credentials are isolated by namespaces for enhanced security and management.Setting up the Credential Store in Your BTP Trial AccountGo to your SAP BTP sub-account -> Instances and Subscriptions.Click Next, Click Create.Click on “View Dashboard”The SAP Credential Store segregates data logically by namespaces. Click on Create Namespace to start setting up your environment.Select the password type for this example, although other credential types are available depending on your needs.For Deployment of Basic Python App in Cloud Foundry refer the blog, Integrating a Python App with SAP BAS Now, let’s bind the credential store to an application called summaryNavigate to the app -> Environment VariablesThe VCAP_SERVICES environment variable holds essential configuration details for your credential store instance, including:URL: The REST API endpoint for SAP Credential Store.Username and Password: For basic authentication.Client Private Key: Used to decrypt the response payload. {
“VCAP_SERVICES”: {
“credstore”: [
{
“label”: “credstore”,
“provider”: null,
“plan”: “trial”,
“name”: “trial-cred”,
“tags”: [
“credstore”,
“securestore”,
“keystore”,
“credentials”
],
“instance_guid”: “0068a9eb-d4b5-4570-a7c8-fce5163eb95f”,
“instance_name”: “trial-cred”,
“binding_guid”: “630c1232-556c-442b-87a0-69400ffc36e2”,
“binding_name”: null,
“credentials”: {
“password”: “”,
“expires_at”: “2025-01-01T11:26:23.5Z”,
“encryption”: {
“client_private_key”: “”,
“server_public_key”: “”
},
“parameters”: {
“authorization”: {
“default_permissions”: [
“create”,
“decrypt”,
“delete”,
“encrypt”,
“info”,
“list”,
“namespaces”,
“read”,
“update”
]
},
“encryption”: {
“payload”: “enabled”,
“key”: {
“size”: 3072
}
},
“authentication”: {
“type”: “basic”
},
“access_policy”: {
“creds_api”: “public”,
“token_api”: “public”,
“kms_api”: “public”,
“encryption_api”: “public”
}
},
“url”: “https://credstore.cfapps.us10.hana.ondemand.com/api/v1/credentials”,
“username”: “”
},
“syslog_drain_url”: null,
“volume_mounts”: []
}
]
}
} Python Code to Access the Credential Storage APISAP Credential Store provides a RESTful API to create, read, and delete credentials. In this example, we’ll retrieve an API key for a weather service stored in the credential store and use it to access a sample weather API.Code: import os
from dotenv import load_dotenv
from jwcrypto import jwk, jwe
import requests
import json
load_dotenv()
namespace=”PasswordHub”
name=”Password”
cred_headers = {
“sapcp-credstore-namespace”: namespace
}
cred_params = {
“name”: name
}
vcap_services = os.getenv(‘VCAP_SERVICES’)
if vcap_services:
binding = json.loads(vcap_services)[‘credstore’][0][‘credentials’]
response = requests.get(url=f”{binding[‘url’]}/password”, headers=cred_headers, params=cred_params,
auth=(binding[‘username’], binding[‘password’]))
private_key_pem =f”—–BEGIN PRIVATE KEY—–n{binding[‘encryption’][‘client_private_key’]}n—–END PRIVATE KEY—–“
private_key = jwk.JWK.from_pem(private_key_pem.encode(‘utf-8’))
print(private_key)
jwetoken = jwe.JWE()
jwetoken.deserialize(response.text, key=private_key)
resp = jwetoken.payload.decode(‘utf-8’)
json_payload = json.loads(resp)
api_key_val = json_payload[‘value’]
print(f”Password stored in credential store for {cred_params[‘name’]} is :-“, api_key_val) Requirements:python-dotenv
jwcrypto
requestsReference Link:SAP Credential Store Credential Management (Example: NodeJs) Read More Technology Blogs by Members articles
#SAP
#SAPTechnologyblog
