Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Assume role in AWS SDK for ABAP when using IAM Anywhere

0

We are using the AWS SDK for ABAP with IAM Anywhere so assuming a role in the AWS account running AWS IAM Anywhere. From this role, we can use resource policies to authorize this role to S3 or to Dynamodb. However in some cases we need to connect to services like athena, where we need to assume another role first. This should programmatically work with https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/sts/operation/ASSUMEROLE.html , however somehow this does not seem work. Obviously we have tested this with python and this seems fairly easy. Any hints/sample code for this?

Topics
SAP on AWSSecurity, Identity, & Compliance
Tags
SAP ABAP SDKAWS IAM Identity CenterIAM Roles Anywhere
Language
English
asked 9 months ago113 views
1 Answer
0

Hi Mark,

If an ABAP program has created a session which has assumed a certain role aaa (using an SDK profile AAA), and now the ABAP program would like to assume a different role bbb, the easiest way is to create a second SDK profile (with a different IAM role mapping) and create another session.

DATA(lo_session_aaa) = /aws1/cl_rt_session_aws=>create( 'AAA'  ).  "
DATA(lo_s3)       = /aws1/cl_s3_factory=>create( lo_session_aaa ).   " access S3 with SDK profile AAA mapping to role aaa

DATA(lo_session_bbb) = /aws1/cl_rt_session_aws=>create( 'BBB'  ).  
DATA(lo_athena)       = /aws1/cl_ath_factory=>create( lo_session_bbb ). " access athena with SDK profile BBB mapping to role bbb

We don't have a mechanism to create a session using credentials acquired manually (either from an explicit call to ASSUMEROLE or from other sources), as a way of discouraging insecure storage or handling of credentials. If you've got a use case where such a thing is necessary, we'd be happy to look into it. If your company has an AWS SA that you work with, please forward this thread to them and they'll help connect you with me directly, otherwise please send a ticket to AWS Support (under service IAM Roles Anywhere, Category Other) and link to this thread in the ticket and they will route it to me, and we can discuss your use case in depth.

Thanks, Jon

AWS
EXPERT
answered 9 months ago
  • Mark
    9 months ago

    Thanks Jon!

    Ill forward this to our SA's. In our implementation, the bbb role would be in a different AWS account that does not run IAM Roles Anywhere. So we thought to have role aaa used by ABAP in account A (with IAM Roles Anywhere) trusted to assume role bbb in account b, and role bbb has the actual permissions.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content