Skip to content

Instantly share code, notes, and snippets.

@ptesny

ptesny/SAP Cloud Management service.md

Last active May 20, 2024 07:50
Show Gist options
  • Save ptesny/5a4d36b3a703b48301d1ed4f44356a24 to your computer and use it in GitHub Desktop.
Save ptesny/5a4d36b3a703b48301d1ed4f44356a24 to your computer and use it in GitHub Desktop.
Download ZIP
SAP BTP easy peasy lemon squeezy with BTP core services.
Raw
SAP Cloud Management service.md

SAP BTP easy peasy lemon squeezy with BTP core services.

image SAP BTP playground

This is a companion gist to On the lookout with SAP BTP Core services. Cis patrol | SAP Blogs.

Let's assume, we are already signed up to a SAP BTP trial account - our SAP BTP playground - and ready to be on the lookout with SAP BTP Core services.

Let's assume there are two sub-accounts in the SAP BTP trial global account (GA), for instance:

A trial subaccount is the default one that was created when we signed up to a SAP BTP trial. The advantage of it is that it already has all the BTP services entitled, including cis service with the local plan. 

We shall be also leveraging a built-in destination service and will create subaccount level destinations towards the cis service business targets. 

Last but not least, we shall subscribe to a SAP Workzone application.
The SAP Workzone subscription brings SAP managed approuter into the context of our BTP sub-account.
And a managed approuter features a built-in dynamic_dest route which allows to call into subaccount level destinations without a single line of code.

Let's see how...

SAP Cloud Management Service (cis). 

image SAP Cloud Management Service is the main service with th SAP BTP core services, exposing the following business services endpoints:

"cis central ": {
        "account_context_service_url": "https://account-context-service.cfapps.eu10.hana.ondemand.com",
        "accounts_service_url": "https://accounts-service.cfapps.eu10.hana.ondemand.com",
        "cloud_automation_url": "https://cp-formations.cfapps.eu10.hana.ondemand.com",
        "entitlements_service_url": "https://entitlements-service.cfapps.eu10.hana.ondemand.com",
} 

"cis local ": {
        "events_service_url": "https://events-service.cfapps.us10.hana.ondemand.com",
        "metadata_service_url": "https://metadata-service.cfapps.us10.hana.ondemand.com",
        "order_processing_url": "https://order-processing.cfapps.eu10.hana.ondemand.com",
        "provisioning_service_url": "https://provisioning-service.cfapps.us10.hana.ondemand.com",
        "saas_registry_service_url": "https://saas-manager.cfapps.us10.hana.ondemand.com"
}

Each endpoint offers access to a built-in swagger editor to help rehearse and test the APIs.
For instance,  by appending /api to provisioning_service_url we can get access to the provisioning service APIs.

Good to know:

Table of Contents
  1. get access to your BTP account/subaccount with btp CLI
    1. add relevant service plans to your subaccount entitlements (optional).
    2. create SAP Cloud Management service (cis) service instance and binding.
  2. create SAP Destination definition from SAP Cloud Management binding.
    1. retrieve the cis service `credentials` from the binding data.
    2. create destination definitions payload with cis-local service credentials.
    3. create destinations on subaccount level
    4. create SAP Workzone application subscription.
  3. SAP Provisioning service
    1. get SAP Provisioning service access token.
    2. access SAP Provisioning service APIs with a built-in swagger ui.
    3. access SAP Provisioning service APIs via a dynamic_dest route.
  4. Documentation.

1. get access to your BTP account/subaccount with btp CLI

btp login --sso
SAP BTP command line interface (client v2.61.0)

CLI server URL [https://cli.btp.cloud.sap]> 
Connecting to CLI server at https://cli.btp.cloud.sap...

Server certificate subject: CN=cli.btp.cloud.sap,O=SAP SE,L=Walldorf,ST=Baden-Württemberg,C=DE
Server certificate fingerprint: ***

Successfully opened: https://cli.btp.cloud.sap/login/v2.61.0/browser/***
Please continue login in your web browser (or use Ctrl+C to abort).

Authentication successful

Current target:
 kyma-adoption (global account, subdomain: quovadis-anywhere)
  └─ quovadis-kyma (subaccount, ID: cc2929d6-****)

We stored your configuration file at: ~Library/Application Support/.btp/config.json

Tips:
    Commands are executed in the target, unless specified otherwise using a parameter. To change the target, use 'btp target'.
    To provide feedback about the btp CLI, use 'btp feedback' to open our survey.

With btp target one can set the target subaccount in the global account. Subsequently, the --subaccount parameter can be omitted from most of the btp CLI commands.

1.1 add relevant service plans to your subaccount entitlements (optional)

This is optional, if using a default trial subaccount with SAP BTP trial global account. However, this may be required with a newly created subaccount/directory, namely: 
btp assign accounts/entitlement --to-subaccount cc2929d6-*** --for-service cis --plan local --enable
btp assign accounts/entitlement --to-subaccount cc2929d6-*** --for-service SAPLaunchpad --plan free --enable
btp assign accounts/entitlement --to-subaccount cc2929d6-*** --for-service SAPLaunchpad --plan standard --enable

Good to know:

  • cis service local plan and SAPLaunchpad standard plan are subscriptions, thus one needs to enable them
  • destination service lite plan is a quota-based service, thus one needs to increase the service instances amount
  • please refer to SAP Cloud Management Service - Service Plans | SAP Help for further details on cis service plans.

1.2 create SAP Cloud Management service (cis) service instance and binding with client credentials.

Let's create a cis-local service instance and the service binding with client credentials using the btp CLI with the following instance creation parameter, namely:

{
    "grantType": "clientCredentials"
}

Failure to do so will result in Password grant type.

Good to know:

btp create services/instance --offering-name cis --plan-name local --name cis-local --parameters cis-param.json
btp create services/binding --name cis-local-binding --instance-name cis-local

and then, let's retrieve the cis-local service binding metadata, as follows:
btp get services/binding --name cis-local-binding

2. create SAP Destination definition from SAP Cloud Management binding data

There is no intrinsic BTP CLI command to help create a destination definition directly from a service binding.

However, this is still doable with a wee bit of a jq gimmick.
Let's see how...

2.1 retrieve the cis service `credentials` from the binding data

Retrieve the cis service `credentials` from the binding data, for instance: 
{
  "credentials": {
    "endpoints": {
      "account_context_service_url": "https://account-context-service.cfapps.eu10.hana.ondemand.com",
      "accounts_service_url": "https://accounts-service.cfapps.eu10.hana.ondemand.com",
      "cloud_automation_url": "https://cp-formations.cfapps.eu10.hana.ondemand.com",
      "entitlements_service_url": "https://entitlements-service.cfapps.eu10.hana.ondemand.com",
      "events_service_url": "https://events-service.cfapps.us10.hana.ondemand.com",
      "metadata_service_url": "https://metadata-service.cfapps.us10.hana.ondemand.com",
      "order_processing_url": "https://order-processing.cfapps.eu10.hana.ondemand.com",
      "provisioning_service_url": "https://provisioning-service.cfapps.us10.hana.ondemand.com",
      "saas_registry_service_url": "https://saas-manager.cfapps.us10.hana.ondemand.com"
    },
    "grant_type": "client_credentials",
    "sap.cloud.service": "com.sap.core.commercial.service.local",
    "uaa": {
      "clientid": "***",
      "clientsecret": "***",
      "credential-type": "binding-secret",

      "url": "https://<subdomain>.authentication.us10.hana.ondemand.com",

    }
  }
}

Subsequently, one can create subaccount level destination(s) with the cis-local service credentials.

2.2 create destination definitions with cis-local service credentials

In order create a destination definition, let's map the following cis-local service credentials (on the right) into destination parameters (on the left):

{
  Authentication: credentials.grant_type === 'client_credentials' ? 'OAuth2ClientCredentials' : 'BasicAuthentication' 
  tokenServiceURL: 'credentials.uaa.url' + '/oauth/token'
  clientId: 'credentials.uaa.clientid'
  clientSecret: 'credentials.uaa.clientsecret' 
  URL: 'credentials.endpoints.provisioning_service_url'  
}

Then, let's apply these parameters to a destination definition template, as follows:

dest-param.json

{
    "init_data": {
        "subaccount": {
            "destinations": [
                  {
                    "Description": "cis-httpbin",
                    "Type": "HTTP",
                    "clientId": "***",
                    "HTML5.DynamicDestination": "true",
                    "HTML5.Timeout": "60000",
                    "Authentication": "OAuth2ClientCredentials",
                    "Name": "cis-httpbin",
                    "tokenServiceURL": "https://<subdomain>.authentication.<region>.hana.ondemand.com/oauth/token",
                    "ProxyType": "Internet",
                    "URL": "https://httpbin.org",
                    "tokenServiceURLType": "Dedicated",
                    "clientSecret": "***"
                  },
                  {
                    "Description": "SAP Cloud Management Service APIs",
                    "Type": "HTTP",
                    "clientId": "***",
                    "HTML5.DynamicDestination": "true",
                    "HTML5.Timeout": "60000",
                    "Authentication": "OAuth2ClientCredentials",
                    "Name": "saas-manager",
                    "tokenServiceURL": "https://<subdomain>.authentication.<region>.hana.ondemand.com/oauth/token",
                    "ProxyType": "Internet",
                    "URL": "https://saas-manager.cfapps.us10.hana.ondemand.com",
                    "tokenServiceURLType": "Dedicated",
                    "clientSecret": "***"
                  },        
		  {
                    "Description": "SAP Cloud Management Service APIs",
                    "Type": "HTTP",
                    "clientId": "***",
                    "HTML5.DynamicDestination": "true",
                    "HTML5.Timeout": "60000",
                    "Authentication": "OAuth2ClientCredentials",
                    "Name": "provisioning-service",
                    "tokenServiceURL": "https://<subdomain>.authentication.<region>.hana.ondemand.com/oauth/token",
                    "ProxyType": "Internet",
                    "URL": "https://provisioning-service.cfapps.us10.hana.ondemand.com",
                    "tokenServiceURLType": "Dedicated",
                    "clientSecret": "***"
                  }        
            ],
           "certificates": [
           ],
            "existing_certificates_policy": "update",
            "existing_destinations_policy": "update"           
       }
   }
}

As aforementioned, this is doable with a wee bit of a jq gimmick.

2.3 create/update destinations on subaccount level

Let'apply the above destinations definitions to a destination service instance, as follows:

btp create services/instance --offering-name destination --plan-name lite --name dest-local --parameters dest-param.json

Subsequently, new definitions can be added or the existing ones updated/deleted at will, namely:

btp update services/instance --name dest-local --parameters dest-param.json

Good to know:

  • the size of a dest-param.json file cannot exceed 8192 bytes

2.4 enable SAP Workzone (SWZ) application subscription

As aforementioned, a SAP Workzone subscription brings SAP managed approuter into the context of our BTP sub-account.
And a managed approuter features a built-in dynamic_dest route which allows to call into subaccount level destinations without a single line of code.

  • choose a SWZ free plan if available
    btp subscribe accounts/subaccount --subaccount cc2929d6-*** --to-app SAPLaunchpad --plan free

  • otherwise you may want to choose the SZW standard plan
    btp subscribe accounts/subaccount --subaccount cc2929d6-*** --to-app SAPLaunchpad --plan standard

3. SAP Provisioning service.

The Provisioning service manages the provisioning of environment instances, multitenant application subscriptions, and services for subaccounts in their corresponding region. Provisioning is executed after validation by the relevant Entitlement service.

3.1 get SAP Provisioning service access token.

Let's use the cis-httpbin destination as follows:

https://<subdomain>.launchpad.cfapps.<region>.hana.ondemand.com/dynamic_dest/cis-httpbin/bearer

{
  "authenticated": true, 
  "token": "eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vODVhM2IzM2N0cmlhbC5hdXRoZW50aWNhdGlvbi51czEwLmhhbmEub25kZW1hbmQuY29tL3Rva2VuX2tleXMiLCp5YGS4hoUBZt4PDPSqOmlG-FwFyPkVyQAig3AV6aNzAMe4kkPAgdcRSfBctScTZ7UX-OHbr9LZGqETOsbeErcplXO34nqk9DMGJeN1mKR1kK5VHE7ug"
}

or

https://<subdomain>.launchpad.cfapps.<region>.hana.ondemand.com/dynamic_dest/cis-httpbin/headers

{
  "headers": {
    "Authorization": "Bearer eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vODVhM2IzM2N0cmlhbC5hdXRoZW50aWNhdGlvbi51czEwLmhhbmEub25kZW1hbmQuY29tL3Rva2VuX2tleXMiLCp5YGS4hoUBZt4PDPSqOmlG-FwFyPkVyQAig3AV6aNzAMe4kkPAgdcRSfBctScTZ7UX-OHbr9LZGqETOsbeErcplXO34nqk9DMGJeN1mKR1kK5VHE7ug",
}

3.2 access SAP Provisioning service APIs with a built-in swagger ui.

Subsequently, one can use the bearer access token with the built-in API editor by appending \api to credentials.endpoints.provisioning_service_url, namely:

3.3 access SAP Provisioning service APIs via a dynamic_dest route.

Last but not least, one can use the provisioning-service destination by appending the required API endpoint and providing the required parameters if applicable, for instance:

https://<subdomain>.launchpad.cfapps.<region>.hana.ondemand.com/dynamic_dest/provisioning-service/provisioning/v1/environments

4. Documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment