Skip to main content

Secure Service Consumption Across Hyperscalers

Last updated on by alperdedeoglu

To enable compliant and secure integration with hyperscaler services, SAP recommends using federated identity mechanisms instead of long-lived credentials. By leveraging standards such as OIDC and X.509 certificate-based authentication, SAP BTP workloads can access services on hyperscaler with traceable, short-lived credentials that align with enterprise security and audit requirements.

The following reference architectures illustrate how federated authentication can be implemented for corresponding hyperscaler.

Architecture

image of solution diagram
Copy to clipboard

Solution Diagram Resources
You can download the Solution Diagram as a .drawio file for offline use. Alternatively, you may view and edit the Solution Diagram directly on draw.io.
Please note that any changes made online will need to be saved locally if you wish to keep them.
DownloadEdit

Flow

  1. Identity Federation: SAP IAS or certificate authority is registered with the hyperscaler as a trusted source.
  2. Token or Certificate Exchange: The workload presents a signed token or client certificate to the hyperscaler.
  3. Temporary Credential Issuance: Based on the verified identity, short-lived credentials are issued to assume a scoped role or service account.
  4. Resource Access: The workload uses these credentials to access cloud-native services securely, with full auditability and revocability.

Characteristics

CharacteristicDescription
No long-lived secretsUses short-lived tokens or signed certificates instead of static credentials.
Strong isolationEach workload is assigned a scoped identity and tightly controlled role.
Seamless credential flowEliminates manual secret rotation; credentials are derived dynamically.