cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Cloud Appliance Library - Deployment into AWS with assumeRole Calls

hotarek
Discoverer

on ‎06-26-2019 8:59 AM

0 Kudos

Hello,

I am trying to deploy a CAL instance (S/4 HANA 1809) into my AWS account.
According to the information when specifying the AWS account for the deployment the following rights are required for the AWS account:

AmazonEC2FullAccess, AmazonVPCFullAccess, ReadOnlyAccess und AWSAccountUsageReportAccess

However according to our company policies it is not possible to assign AmazonEC2FullAccess and AmazonVPCFullAccess directly to a my AWS user account. The required rights should be retrieved via an STS AssumeRole API Call. This means that additionally to the Access and Secret key we would need a field to specify an
AWS Role ARN for the role that needs to be assumed for the deployment.

Is there a way to use AssumeRole calls for the CAL deployment into AWS?
If not, is this something which is planned to be available soon?

Thanks in advance and greetings.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

stanimir_eisner
Employee
Employee
‎07-04-2019 1:02 PM
0 Kudos

Hi Sebastian,

SAP CAL refreshes the status of the provisioned VMs on every few minutes. Hence we require the permanent connection and AssumeRole won't help here.

Best regards,

Stanimir

Show replies
Show replies
hotarek
Discoverer
‎07-04-2019 8:36 AM
0 Kudos

Hello Stanimir,

many thanks for the quick feedback.
In the meantime we discussed internally and as a workaround my AWS responsible is going to create an exceptional account with the required rights for deploying the CAL systems.
However according to our AWS responsible there should not be the need for a permanent connection and whenever an administrative call is required it could be done via AssumeRole.
Other tools like Datadog or New Relic are using this approach.
Is there some special requirement for SAP CAL?
Are you able to confirm that AssumeRole is nothing which is being worked on and which is also not present on the roadmap for SAP CAL?
We need to know as we will have to define some new standard policies for deploying CAL systems in the future then.

Thanks and best regards,
Sebastian

Show replies
Show replies
stanimir_eisner
Employee
Employee
‎06-26-2019 1:10 PM
0 Kudos

Hello Sebastian,

The idea of SAP CAL is to be connected to your AWS account until you terminate all your instances. With AssumeRole the connection will be lost in minutes to hours.

Best regards,

Stanimir

Show replies
Show replies
Ask a Question