Access Google Cloud Storage (GCS) using Workload Identity Federation (WIF) in SAP Integration Suite

Access Google Cloud Storage (GCS) using Workload Identity Federation (WIF) in SAP Integration Suite
Estimated read time 7 min read

The begining

Google Cloud Storage (hereafter referred to as GCS) bucket can be accessed using GCS sender or GCS receiver adapter in SAP Integration Suite. There is already a blog SAP has published on this topic. Additionally SAP has provided a good documentation in the standard package ‘Google Cloud Storage Adapter for SAP Integration Suite’ which you can find in Discover -> Integrations.

Even after so much is detailed out in the articles above, I struggled a lot to get my first iFlow working. I am writing this blog to share my learning out of this journey so that you do not have to go through the same struggle.

I recommend everyone to go through both (the blog and the adapter documentation) if you want to use GCS adapter in integration suite.

 

Accessing the GCS bucket using Postman:

As an integration developer, I was required to develop an interface which should poll a GCS bucket and send the files from this bucket to the receiver application. The owner of the bucket had given me all the details using which I could access the bucket contents using Postman application. Now I only needed to translate all these details that I use in Postman app to the GCS sender adapter.

Here are the steps needed for me to access a GCS bucket using Workload Identity Federation (hereafter referred to as WIF) authentication.

1. Generate a subject token using Entra ID

2. Generate a WIF token using subject token

3. Generate a service account token using WIF token (only if you use service account impersonation)

4a. Get a list of objects (all files) in the bucket using service account token

4b. Get the file (only one at a time) by making a get call to the mediaLink corresponding to any file from step 4a

Note that Step 4a & 4b makes use of same service account token which is generated in step 3

 

 

How to configure the GCS sender adapter

Connection:

Now compare every field from first five screenshots and try to understand how they are configured in the sender adapter (in screenshot above). Here are additional details about every important (and confusing) field on this configuration page. 

1. Address: if you are trying to access a bucket which is internal to your orgnization, there are two most important things:

a. Use proxy type as On-Premise. And this requires the cloud connector configuration:

b. The address entered on GCS sender adapter must be http://<Virtual Host>:<Virtual Port> Very important: it can not be https

2. Microsoft Entra ID Credentials name: Mention the credentials that you created in security material. An important thing to be noted here, as of today, the adpter (version 1.1.0) can only be used when you want to use Entra authentication, not otherwise. Sample as below:

3. STS options: Before you write anything here, note that the part of the body with keys grantType, requestedTokenType and  subjectTokenType (refer second screenshot) are populated by adapter itself so you may have to leave this parameter empty

Processing:

1. Bucket name: just mention the bucket name

2. Query parameters: you can leave it empty as &alt=media is populated by the adapter itself

 

Sample iFlow: File transfer from a GCS Bucket to a File server 

Here is how you can have a simplest iFlow to pick the files from GCS bucket and send them to a file server using SFTP

Important to note in this iFlow is a groovy script. This script sets a file name concatated with timestamp in a property FileName. This property can later be used in SFTP adapter to set the name of the file on file server. Refer attachment for a sample script.

 

Conclusion:

By understanding how to configure GCS adapter, you can make SAP Integration Suite communicate with Google Cloud Storage and streamline your file transfer processes. This is quite a robust and futuristic way of securely exchanging files between two entirely different applications.

 

​ The beginingGoogle Cloud Storage (hereafter referred to as GCS) bucket can be accessed using GCS sender or GCS receiver adapter in SAP Integration Suite. There is already a blog SAP has published on this topic. Additionally SAP has provided a good documentation in the standard package ‘Google Cloud Storage Adapter for SAP Integration Suite’ which you can find in Discover -> Integrations.Even after so much is detailed out in the articles above, I struggled a lot to get my first iFlow working. I am writing this blog to share my learning out of this journey so that you do not have to go through the same struggle.I recommend everyone to go through both (the blog and the adapter documentation) if you want to use GCS adapter in integration suite. Accessing the GCS bucket using Postman:As an integration developer, I was required to develop an interface which should poll a GCS bucket and send the files from this bucket to the receiver application. The owner of the bucket had given me all the details using which I could access the bucket contents using Postman application. Now I only needed to translate all these details that I use in Postman app to the GCS sender adapter.Here are the steps needed for me to access a GCS bucket using Workload Identity Federation (hereafter referred to as WIF) authentication.1. Generate a subject token using Entra ID2. Generate a WIF token using subject token3. Generate a service account token using WIF token (only if you use service account impersonation)4a. Get a list of objects (all files) in the bucket using service account token4b. Get the file (only one at a time) by making a get call to the mediaLink corresponding to any file from step 4aNote that Step 4a & 4b makes use of same service account token which is generated in step 3  How to configure the GCS sender adapterConnection:Now compare every field from first five screenshots and try to understand how they are configured in the sender adapter (in screenshot above). Here are additional details about every important (and confusing) field on this configuration page. 1. Address: if you are trying to access a bucket which is internal to your orgnization, there are two most important things:a. Use proxy type as On-Premise. And this requires the cloud connector configuration:b. The address entered on GCS sender adapter must be http://<Virtual Host>:<Virtual Port> Very important: it can not be https2. Microsoft Entra ID Credentials name: Mention the credentials that you created in security material. An important thing to be noted here, as of today, the adpter (version 1.1.0) can only be used when you want to use Entra authentication, not otherwise. Sample as below:3. STS options: Before you write anything here, note that the part of the body with keys grantType, requestedTokenType and  subjectTokenType (refer second screenshot) are populated by adapter itself so you may have to leave this parameter emptyProcessing:1. Bucket name: just mention the bucket name2. Query parameters: you can leave it empty as &alt=media is populated by the adapter itself Sample iFlow: File transfer from a GCS Bucket to a File server Here is how you can have a simplest iFlow to pick the files from GCS bucket and send them to a file server using SFTPImportant to note in this iFlow is a groovy script. This script sets a file name concatated with timestamp in a property FileName. This property can later be used in SFTP adapter to set the name of the file on file server. Refer attachment for a sample script. Conclusion:By understanding how to configure GCS adapter, you can make SAP Integration Suite communicate with Google Cloud Storage and streamline your file transfer processes. This is quite a robust and futuristic way of securely exchanging files between two entirely different applications.   Read More Technology Blog Posts by Members articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author