Skip to Content
Technical Articles
Author's profile photo Fatih Pense
Fatih Pense
July 13, 2021 3 minute read

Using Cloud Integration APIs with Tools on Cloud Foundry: Creating a Service Key

There are resources on this topic, but it was hard to understand for me at the first sight, and there were questions about how to use tools like CPI Explorer in the CF environment.

This is my attempt to create a clear post for referring basis teams. Also, you can find more detailed documentation at the bottom of the article.

I like text with pictures! So, let’s start.

 

Steps

 

Services > Instances and Subscriptions > Create

 

  • Process Integration Runtime
  • api

Give it a cli-friendly name, click “Next”.

 

“password” lets you use client_id and client_secret as basic auth. But it doesn’t work with “api” plan. (For “integration-flow” plan, you can give it to clients that call HTTP endpoints in the flows.)

 

If you choose JSON here is a list of available roles, you can edit the text and paste it. You can switch between Form and JSON views, they keep the same values.

{
    "grant-types": [
        "client_credentials",
        "password"
    ],
    "redirect-uris": [],
    "roles": [
        "WorkspacePackagesTransport",
        "WorkspacePackagesRead",
        "QueuesActivate",
        "AccessAllAccessPoliciesArtifacts",
        "AccessPoliciesEdit",
        "AccessPoliciesRead",
        "AuthGroup_Administrator",
        "AuthGroup_BusinessExpert",
        "AuthGroup_ContentPublisher",
        "AuthGroup_IntegrationDeveloper",
        "AuthGroup_ReadOnly",
        "AuthGroup_TenantPartnerDirectoryConfigurator",
        "CatalogPackageArtifactsRead",
        "CatalogPackagesCopy",
        "CatalogPackagesRead",
        "CredentialsEdit",
        "DataStorePayloadsRead",
        "DataStoresAndQueuesConfig",
        "DataStoresAndQueuesDelete",
        "DataStoresAndQueuesRead",
        "HealthCheckMonitoringDataRead",
        "MessagePayloadsRead",
        "MessageProcessingLocksDelete",
        "MessageProcessingLocksRead",
        "MonitoringArtifactsDeploy",
        "MonitoringDataRead",
        "QueuesRetry",
        "SecurityMaterialDownload",
        "SecurityMaterialEdit",
        "TraceConfigurationEdit",
        "TraceConfigurationRead",
        "WorkspaceArtifactLocksDelete",
        "WorkspaceArtifactLocksRead",
        "WorkspaceArtifactsDeploy",
        "WorkspacePackagesConfigure",
        "WorkspacePackagesEdit"
    ]
}

 

Just click “Create”

 

Wait for a while.

 

When you click on the instance, a pane on the right appears. Click “Create” under Service Keys.

 

Just give it a name and click “Create”

 

You will need client_id, client_secret, and tokenurl.

 

Get “tokenurl” at the bottom:

 

That is all.

 

Example client: CPI Explorer

 

Tenant management hostname is the same with “url” in the JSON, or the URL where integration developers work.

 

Enter client_secret:

 

Resources

 

Related SAP documentation

Setting Up OAuth Inbound Authentication with Client Credentials Grant for API Clients, Cloud Foundry Environment
https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/LATEST/en-US/20e26a837a8449c4b8b934b07f71cb76.html

If you are using another Identity Provider:
Setting Up Basic Inbound Authentication of an IdP User for API Clients, Cloud Foundry Environment
https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/LATEST/en-US/57f104d5b6064720bdca826c6698d34c.html

Creating OAuth Client Credentials for Cloud Foundry Environment
https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/LATEST/en-US/50b63c69028643b18016d6795003392d.html

Managing User Roles, Cloud Foundry Environment
https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/LATEST/en-US/4e86f0dcb41f49e99ea43e82a0e99c73.html

List of all permissions:
https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/fda781c59e4b46a390ce5b409f60365e.html

Related blog posts

Technical / Service user Cloud Platform Integration for Inbound Communication
https://blogs.sap.com/2019/10/18/technical-service-user-cloud-platform-integration-for-inbound-communication/

Integration Suite – Accessing Cloud Integration Runtime
https://blogs.sap.com/2021/03/22/integration-suite-accessing-cloud-integration-runtime/

Self-Service Enablement of Cloud Integration Service on Cloud Foundry Environment
https://blogs.sap.com/2019/06/10/self-service-enablement-of-cloud-integration-service-on-cloud-foundry-environment/

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Rajesh Pasupula
      Rajesh Pasupula

      Hi Fatih Pense - Would be helpful if you can elaborate how to grant access to this API for other users rather than accessing with the client id and secret of Service Key of this instance like Role Collection and assignment of exact roles that need to be included.

      For .e.g. if you want to access the APIs using OData adapter service in the iFlow editor I am afraid that this service instance client cannot be able to access the same as the roles provided at the Integration flow SI might be different.

      Also I see no option to edit the roles once the API service instance is created which is worrisome for now (like I want to add Workspace* roles along with monitoring ones or if I miss few initially and like to add later.

      Hope SAP soon addresses these issues.

      Thanks for taking time and blogging this.

      Regards

      Rajesh Pasupula

       

       

      Author's profile photo Geoff Beglau
      Geoff Beglau

      Excellent write up Fatih!

      Can you clarify which roles exactly are needed for use with CPI Explorer?

      Author's profile photo Philippe Addor
      Philippe Addor

      Hi Fatih!

      Thank you for writing down your learnings. The sentence "But it doesn’t work with “api” plan" is a relieve for me! Now I can stop thinking that I'm doing something wrong... 🙂

      I now realized that basic auth with a service key is not supported for API access, but basic auth with an actual user (that is stored in an identity provider) works (see https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/IAT/en-US/8db3d5141cd644019f0cf244e2a6763f.html).

      So for example if I use my SAP S-User it works with basic auth. Strange that it's different for the API and Iflow plans, but at least we know now...

      Kinds regards,

      Philippe

      Author's profile photo vinod kumar
      vinod kumar

      Hi Philippe,

      Thanks for the useful information!

      I am also trying to assign roles to the Service account (which is not the actual user that is stored in the identity provider).

      As per the above info, basic auth with a service key is not supported for API access do we have any alternate solution for the same?

      Please guide us as we are also struck by the same.

      Thanks in advance!

      Regards,

      Vinod.

      Author's profile photo Philippe Addor
      Philippe Addor

      Hi Vinod

      Not sure. I believe this has changed a bit again. Just try it out. Do you see a Service Instance with plan "api"? If so, there should be a default service in there. Take this one - use its client ID and client secret as user and pass for the basic auth.

      Philippe

      Author's profile photo Himangshu Ghosh
      Himangshu Ghosh

      I'm getting the below error in my trial account while trying to create a service instance of Process integration runtime with 'api' plan:

      Service broker error: Service broker it-broker-rt failed with: Internal Server Error

      can anyone please help me to solve this issue?