Skip to Content
Technical Articles
Author's profile photo Volker Saggau

How to recreate a HANA Cloud service key aka password rotation

Problem:

SAP HANA Cloud uses BTP services and service keys.

There might be the need to update the service-keys.

 

Solution:

Warning: This is advanced scripting and you could harm your configurations. Please test carefully with dedicated spaces before you are applying this to production instances. This includes also development environments/spaces.

Writing a script that automates the update of the service-keys.

Install Cloud Foundry CLI on your machine or use the Buisness Application Studio terminal session

if you are in a terminal session and connected to CloudFoundry via “cf login”

In my case this look like this:

cf%20login

cf login

 

Now you can issue the command “cf services” and will see all services you have.

List of services in cf

Alternative you can see the same at your instances in the BTP cockpit:

BTP%20Cockpit%20view%20on%20services

BTP Cockpit view on services

Here we are only interested in the HDI_shared view but you might have other selections criteria.

I strongly recommend to adjust the grep parameter in this line to get a list the services you want to recreate.

cf services | tail -n +4 | grep hdi-shared | grep -v -i myHDiServie | grep -i -- -ws- | awk '{print $1}'

The sample script below demonstrates how you can manage serviceKey recreation.

I commented the two critical lines

  • dsk (delete-service-key)
  • csk (create-service-key)

with a “#”  – so a simple copy/paste will not change things immediate.

The “-f” is a force input so you do not have to confirm with a “Y”

I saw through copy/paste issues with the ‘{“permissions”: [“development”]}’ string. Particular the DoubleQuotes had some strange reformatting…

The term “development” has 2 aliases: “catalog-user” and “debugging”

THIS IS ONLY RECOMMENDED FOR DEVELOPMENT SPACES

For production environment no parameter “-c .. permission..” is needed.

 

#!/bin/sh

clear

echo "looping through the services"

for service in $(cf services | tail -n +4 | grep hdi-shared | grep -v -i myHDiServie | grep -i -- -ws- | awk '{print $1}')

do

echo "For service: $service"

for serviceKey in$(cf service-keys $service | tail -n +4 | awk '{print $1}')

do

echo " showing service key $serviceKey"

echo " deleteing service key $serviceKey"

echo " cf dsk $service $serviceKey "

#cf dsk $service $serviceKey -f

echo

echo " create $serviceKey"

echo " cf csk $service $serviceKey -c '{"permissions": ["development"]}'"

#cf csk $service $serviceKey -c '{"permissions": ["development"]}'

echo

echo

done

done

Post processing

You have to “train” the development environments that you have changed the service-keys.

We keep a copy of the service key in the environment of BAS. So if you change the keys we cache the wrong information. We added a little feature in the BAS HANATooling:

BIND%20ALL%20OPTION

BIND ALL OPTION

The BIND ALL option will “refresh” all the keys in your project. If you still have bindings you have to UNBIND ALL as a first step.

 

Summary

It is possible to change the service-key(s) in BTP/CF development SPACE for “hdi-shared” or “schema” with a script. It is very important to test your script.  This scripts can create great damage and results in a lot of manual rework to fix.

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Michael Cocquerel
      Michael Cocquerel

      Would it work for HANA on-premise just replacing cf by xs command in the script ?
      Is there a post action to be done on Web IDE for HANA side ?

      Author's profile photo Volker Saggau
      Volker Saggau
      Blog Post Author

      Hi Michael,

      Indeed the replacement of "cf" with "xs" should do the job. I have not tested yet.

      As a post action you have to unbind/bind in WEBIDE. I am not aware of a BIND ALL option here. So you have to do that for each connection.

      Be aware that you have to inform your developers. This could create some tickets for yourself.