This is a companion gist to On the lookout with SAP BTP Core services. Cis patrol | SAP Blogs.
Let's assume, we are already signed up to a SAP BTP trial account - our SAP BTP playground - and ready to be on the lookout with SAP BTP Core services.
Let's assume there are two sub-accounts in the SAP BTP trial global account (GA), for instance:
A trial subaccount is the default one that was created when we signed up to a SAP BTP trial. The advantage of it is that it already has all the BTP services entitled, including cis service with the local plan.
We shall be also leveraging a built-in destination service and will create subaccount level destinations towards the cis service business targets.
Last but not least, we shall subscribe to a SAP Workzone application.
The SAP Workzone subscription brings SAP managed approuter into the context of our BTP sub-account.
And a managed approuter features a built-in dynamic_dest
route which allows to call into subaccount level destinations without a single line of code.
Let's see how...
SAP Cloud Management Service is the main service with th SAP BTP core services, exposing the following business services endpoints:
"cis central ": {
"account_context_service_url": "https://account-context-service.cfapps.eu10.hana.ondemand.com",
"accounts_service_url": "https://accounts-service.cfapps.eu10.hana.ondemand.com",
"cloud_automation_url": "https://cp-formations.cfapps.eu10.hana.ondemand.com",
"entitlements_service_url": "https://entitlements-service.cfapps.eu10.hana.ondemand.com",
}
"cis local ": {
"events_service_url": "https://events-service.cfapps.us10.hana.ondemand.com",
"metadata_service_url": "https://metadata-service.cfapps.us10.hana.ondemand.com",
"order_processing_url": "https://order-processing.cfapps.eu10.hana.ondemand.com",
"provisioning_service_url": "https://provisioning-service.cfapps.us10.hana.ondemand.com",
"saas_registry_service_url": "https://saas-manager.cfapps.us10.hana.ondemand.com"
}
Each endpoint offers access to a built-in swagger editor to help rehearse and test the APIs.
For instance, by appending /api to provisioning_service_url we can get access to the provisioning service APIs.
Good to know:
- These APIs are also available for testing on the API Business Accelerator Hub
btp login --sso
SAP BTP command line interface (client v2.61.0)
CLI server URL [https://cli.btp.cloud.sap]>
Connecting to CLI server at https://cli.btp.cloud.sap...
Server certificate subject: CN=cli.btp.cloud.sap,O=SAP SE,L=Walldorf,ST=Baden-Württemberg,C=DE
Server certificate fingerprint: ***
Successfully opened: https://cli.btp.cloud.sap/login/v2.61.0/browser/***
Please continue login in your web browser (or use Ctrl+C to abort).
Authentication successful
Current target:
kyma-adoption (global account, subdomain: quovadis-anywhere)
└─ quovadis-kyma (subaccount, ID: cc2929d6-****)
We stored your configuration file at: ~Library/Application Support/.btp/config.json
Tips:
Commands are executed in the target, unless specified otherwise using a parameter. To change the target, use 'btp target'.
To provide feedback about the btp CLI, use 'btp feedback' to open our survey.
With btp target
one can set the target subaccount in the global account. Subsequently, the --subaccount
parameter can be omitted from most of the btp CLI commands.
btp assign accounts/entitlement --to-subaccount cc2929d6-*** --for-service cis --plan local --enable
btp assign accounts/entitlement --to-subaccount cc2929d6-*** --for-service SAPLaunchpad --plan free --enable
btp assign accounts/entitlement --to-subaccount cc2929d6-*** --for-service SAPLaunchpad --plan standard --enable
Good to know:
- cis service local plan and SAPLaunchpad standard plan are subscriptions, thus one needs to
enable
them - destination service lite plan is a quota-based service, thus one needs to increase the service instances
amount
- please refer to SAP Cloud Management Service - Service Plans | SAP Help for further details on cis service plans.
Let's create a cis-local service instance and the service binding with client credentials using the btp CLI with the following instance creation parameter, namely:
{
"grantType": "clientCredentials"
}
Failure to do so will result in Password
grant type.
Good to know:
- The
clientCredentials
grant type is required for system to system communication and pipeline automation. - Please refer to Getting an Access Token for SAP Cloud Management Service APIs | SAP Help for further details.
btp create services/instance --offering-name cis --plan-name local --name cis-local --parameters cis-param.json
btp create services/binding --name cis-local-binding --instance-name cis-local
and then, let's retrieve the cis-local service binding metadata, as follows:
btp get services/binding --name cis-local-binding
However, this is still doable with a wee bit of a jq
gimmick.
Let's see how...
{
"credentials": {
"endpoints": {
"account_context_service_url": "https://account-context-service.cfapps.eu10.hana.ondemand.com",
"accounts_service_url": "https://accounts-service.cfapps.eu10.hana.ondemand.com",
"cloud_automation_url": "https://cp-formations.cfapps.eu10.hana.ondemand.com",
"entitlements_service_url": "https://entitlements-service.cfapps.eu10.hana.ondemand.com",
"events_service_url": "https://events-service.cfapps.us10.hana.ondemand.com",
"metadata_service_url": "https://metadata-service.cfapps.us10.hana.ondemand.com",
"order_processing_url": "https://order-processing.cfapps.eu10.hana.ondemand.com",
"provisioning_service_url": "https://provisioning-service.cfapps.us10.hana.ondemand.com",
"saas_registry_service_url": "https://saas-manager.cfapps.us10.hana.ondemand.com"
},
"grant_type": "client_credentials",
"sap.cloud.service": "com.sap.core.commercial.service.local",
"uaa": {
"clientid": "***",
"clientsecret": "***",
"credential-type": "binding-secret",
"url": "https://<subdomain>.authentication.us10.hana.ondemand.com",
}
}
}
Subsequently, one can create subaccount level destination(s) with the cis-local service credentials.
In order create a destination definition, let's map the following cis-local service credentials (on the right) into destination parameters (on the left):
{
Authentication: credentials.grant_type === 'client_credentials' ? 'OAuth2ClientCredentials' : 'BasicAuthentication'
tokenServiceURL: 'credentials.uaa.url' + '/oauth/token'
clientId: 'credentials.uaa.clientid'
clientSecret: 'credentials.uaa.clientsecret'
URL: 'credentials.endpoints.provisioning_service_url'
}
Then, let's apply these parameters to a destination definition template, as follows:
{
"init_data": {
"subaccount": {
"destinations": [
{
"Description": "cis-httpbin",
"Type": "HTTP",
"clientId": "***",
"HTML5.DynamicDestination": "true",
"HTML5.Timeout": "60000",
"Authentication": "OAuth2ClientCredentials",
"Name": "cis-httpbin",
"tokenServiceURL": "https://<subdomain>.authentication.<region>.hana.ondemand.com/oauth/token",
"ProxyType": "Internet",
"URL": "https://httpbin.org",
"tokenServiceURLType": "Dedicated",
"clientSecret": "***"
},
{
"Description": "SAP Cloud Management Service APIs",
"Type": "HTTP",
"clientId": "***",
"HTML5.DynamicDestination": "true",
"HTML5.Timeout": "60000",
"Authentication": "OAuth2ClientCredentials",
"Name": "saas-manager",
"tokenServiceURL": "https://<subdomain>.authentication.<region>.hana.ondemand.com/oauth/token",
"ProxyType": "Internet",
"URL": "https://saas-manager.cfapps.us10.hana.ondemand.com",
"tokenServiceURLType": "Dedicated",
"clientSecret": "***"
},
{
"Description": "SAP Cloud Management Service APIs",
"Type": "HTTP",
"clientId": "***",
"HTML5.DynamicDestination": "true",
"HTML5.Timeout": "60000",
"Authentication": "OAuth2ClientCredentials",
"Name": "provisioning-service",
"tokenServiceURL": "https://<subdomain>.authentication.<region>.hana.ondemand.com/oauth/token",
"ProxyType": "Internet",
"URL": "https://provisioning-service.cfapps.us10.hana.ondemand.com",
"tokenServiceURLType": "Dedicated",
"clientSecret": "***"
}
],
"certificates": [
],
"existing_certificates_policy": "update",
"existing_destinations_policy": "update"
}
}
}
As aforementioned, this is doable with a wee bit of a jq
gimmick.
Let'apply the above destinations definitions to a destination service instance, as follows:
btp create services/instance --offering-name destination --plan-name lite --name dest-local --parameters dest-param.json
Subsequently, new definitions can be added or the existing ones updated/deleted at will, namely:
btp update services/instance --name dest-local --parameters dest-param.json
Good to know:
- the size of a dest-param.json file cannot exceed 8192 bytes
As aforementioned, a SAP Workzone subscription brings SAP managed approuter into the context of our BTP sub-account.
And a managed approuter features a built-in dynamic_dest
route which allows to call into subaccount level destinations without a single line of code.
-
choose a SWZ
free
plan if available
btp subscribe accounts/subaccount --subaccount cc2929d6-*** --to-app SAPLaunchpad --plan free
-
otherwise you may want to choose the SZW
standard
plan
btp subscribe accounts/subaccount --subaccount cc2929d6-*** --to-app SAPLaunchpad --plan standard
The Provisioning service manages the provisioning of environment instances, multitenant application subscriptions, and services for subaccounts in their corresponding region. Provisioning is executed after validation by the relevant Entitlement service.
Let's use the cis-httpbin
destination as follows:
https://<subdomain>.launchpad.cfapps.<region>.hana.ondemand.com/dynamic_dest/cis-httpbin/bearer
{
"authenticated": true,
"token": "eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vODVhM2IzM2N0cmlhbC5hdXRoZW50aWNhdGlvbi51czEwLmhhbmEub25kZW1hbmQuY29tL3Rva2VuX2tleXMiLCp5YGS4hoUBZt4PDPSqOmlG-FwFyPkVyQAig3AV6aNzAMe4kkPAgdcRSfBctScTZ7UX-OHbr9LZGqETOsbeErcplXO34nqk9DMGJeN1mKR1kK5VHE7ug"
}
or
https://<subdomain>.launchpad.cfapps.<region>.hana.ondemand.com/dynamic_dest/cis-httpbin/headers
{
"headers": {
"Authorization": "Bearer eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vODVhM2IzM2N0cmlhbC5hdXRoZW50aWNhdGlvbi51czEwLmhhbmEub25kZW1hbmQuY29tL3Rva2VuX2tleXMiLCp5YGS4hoUBZt4PDPSqOmlG-FwFyPkVyQAig3AV6aNzAMe4kkPAgdcRSfBctScTZ7UX-OHbr9LZGqETOsbeErcplXO34nqk9DMGJeN1mKR1kK5VHE7ug",
}
Subsequently, one can use the bearer access token with the built-in API editor by appending \api
to credentials.endpoints.provisioning_service_url
, namely:
Last but not least, one can use the provisioning-service
destination by appending the required API endpoint and providing the required parameters if applicable, for instance:
https://<subdomain>.launchpad.cfapps.<region>.hana.ondemand.com/dynamic_dest/provisioning-service/provisioning/v1/environments
- Account Administration Using the SAP BTP Command Line Interface (btp CLI) | SAP Help
- Account Administration Using APIs of the SAP Cloud Management Service [Feature Set B] | SAP Help