Cross-Account IAM Role Chaining in the AWS SDK for SAP ABAP

4 minute read

Content level: Intermediate

This article explains how to configure and use multi-hop cross-account IAM role chaining in the AWS SDK for SAP ABAP, enabling SAP systems to securely access AWS resources across multiple accounts through a chain of trust relationships.

If you've ever needed your SAP system - whether running on-premise, in SAP RISE, or in a managed environment - to access resources in a separate AWS production account, but the path requires passing through an intermediate AWS account first (two hops across three accounts), you've likely run into the challenge of multi-hop cross-account IAM role assumption. The AWS SDK for SAP ABAP now supports role chaining, making multi-hop cross-account access straightforward and secure.

What Is Role Chaining?

Role chaining is a pattern where one AWS profile delegates its authentication to another profile, forming a chain of trust. Each profile in the chain says: "To authenticate me, first authenticate using this other profile, then assume my role".

This mirrors the source_profile parameter available in the AWS CLI and other AWS SDKs (such as Boto3), and is now available natively in the AWS SDK for SAP ABAP.

A Concrete Example

Consider a customer running SAP in an SAP RISE environment who needs to query Athena tables hosted in a dedicated AWS data account. Because the SAP system runs in an SAP-managed environment, it uses IAM Roles Anywhere for base authentication - and the Athena data account requires access to be routed through a central cloud integration account that manages cross-account permissions.

Three profiles are configured in /AWS1/IMG:

SAP_BASE: Authenticates using IAM Roles Anywhere (using the Trust Anchor ARN, Profile ARN, and IAM Role ARN configured on the SAP system), assuming SapBaseRole in the IAM Roles Anywhere account (Account 111111111111).
CLOUD_INTEGRATION: Uses “SAP_BASE” credentials (SapBaseRole), then assumes CloudIntegrationRole in the central cloud integration account (Account 222222222222) that manages access to downstream data accounts.
ATHENA_ACCESS: Uses “CLOUD_INTEGRATION” credentials (CloudIntegrationRole), then assumes AthenaReadRole in the AWS data account (Account 333333333333) where the Athena tables reside.

When your ABAP code uses "ATHENA_ACCESS", the SDK automatically resolves the full chain, executing sequential AssumeRole calls at each step:

SAP_BASE (Account 111111111111, SapBaseRole) → CLOUD_INTEGRATION (Account 222222222222, CloudIntegrationRole) → ATHENA_ACCESS (Account 333333333333, AthenaReadRole)

The final credentials for AthenaReadRole in Account 333333333333 are then used for all Athena API calls.

Configuration

Role chaining is configured in the SDK's IMG transaction /AWS1/IMG. A new authentication method Source Profile has been added to the IAM Auth Method dropdown. When Source Profile is selected for a profile, a Source Profile ID field becomes available to specify the upstream profile. 'SAP_BASE' Profile Configuration

'CLOUD_INTEGRATION' Profile Configuration

'ATHENA_ACCESS' Profile Configuration

Using Role Chaining in ABAP Code

Once configured in /AWS1/IMG, using a chained profile requires no special syntax - simply create a session with the target profile as usual:

DATA(lo_session) = /aws1/cl_rt_session_aws=>create( 'ATHENA_ACCESS' ).
DATA(lo_athena)  = /aws1/cl_ath_factory=>create( lo_session ).
DATA(lo_result)  = lo_athena->getnamedquery( 'a1b2c3d4-5678-90ab-cdef-example11111' ).
" Retrieves a saved query from the Athena data account using AthenaReadRole permissions

The SDK handles the full chain resolution and all intermediate AssumeRole calls automatically

Important Considerations

Chain depth limit - A maximum of 5 profiles are supported in a single chain.
Circular reference detection - A profile cannot appear more than once in the chain (e.g., A → B → C → B).
Authorization - Users must have necessary authorizations (/AWS1/SESS and /AWS1/LROL) for all profiles in the chain, including intermediate profiles.

Conclusion

Cross-Account IAM Role Chaining in the AWS SDK for SAP ABAP enables ABAP programs to securely traverse multi-account AWS architectures using a familiar, configuration-driven approach. The SDK handles the full chain of AssumeRole calls automatically, with built-in safeguards for circular references, depth limits, and authorization validation.

This feature is particularly useful for customers with centralized SAP systems that need to access resources across multiple AWS accounts, including those deployed in SAP RISE or managed service provider environments.

If you're new to the AWS SDK for SAP ABAP, refer to the Getting Started page for installation and configuration instructions.

References

AWS SDK for SAP ABAP Developer Guide:
IAM roles, role chaining and source_profile parameter:

Topics: SAP on AWS Security, Identity, & Compliance
Tags: SAP ABAP SDK SAP on AWS AWS Identity and Access Management
Language: English

EXPERT

Deepika Raje

published 2 months ago163 views

3 Comments

Hello Deepika, thank you for providing the detailed information. I followed the instruction to use this solution, but unfortunately it does not work.

The call dumps in the Class /AWS1/CL_RT_CREDS_FROM_RLA and there in the Method REFRESH, because the variable ao_rla_authentication has not been initialized. Therefore, it is not possible within this Method to execute the following statement: ls_rla_credentials = ao_rla_authentication->createsession( iv_profilearn = ao_config->get_profile_arn( ) iv_rolearn = av_iam_role_arn iv_trustanchorarn = ao_config->get_trust_anchor_arn( ) ).

The constructor of this class will be called from /AWS1/CL_RT_SESSION_AWS_IMPL and there in the class CREATE_BASE_CREDENTIALS, but the parameter SESSION will not be provided: WHEN /aws1/cl_rt_cfg_cv=>cv_auth_meth_rla. CREATE OBJECT oo_cred TYPE ('/AWS1/CL_RT_CREDS_FROM_RLA') EXPORTING io_config = ao_config iv_custom_endpoint = iv_custom_rla_endpoint.

Do you have any idea what I am doing wrong?

Best Regards Gökhan Kirazci

Gokhan

replied 19 days ago

Hi Gökhan,

Thank you for the detailed feedback and for trying out the role chaining feature.

The behavior you're describing, where the ao_rla_authentication variable is not initialized in /AWS1/CL_RT_CREDS_FROM_RLA when using IAM Roles Anywhere as the base profile authentication, has been identified and addressed.

Please patch your SDK to version 1.19.27 (or any later version), and profile chaining with IAM Roles Anywhere authentication should work as expected. For instructions on patching the SDK, please refer to the AWS SDK for SAP ABAP - Patching Guide.

If you have any further questions or run into any issues after patching, please don't hesitate to reach out!

Best regards, Deepika

EXPERT

Deepika Raje

replied 13 days ago

Hi Deepika, thank you very much for your support and the information you provided. After updating our SDK, we were able to use Cross-Account IAM Role Chaining.

Best regards Gökhan

Gokhan

replied 7 days ago

Relevant content

Custom VPC Endpoints in the AWS SDK for SAP ABAP
EXPERT
Friesen, Jon
published 6 months ago
Presigning S3 requests with the AWS SDK for SAP ABAP
EXPERT
Friesen, Jon
published 8 months ago
Exploring migration support service for RISE with SAP on AWS
AWS OFFICIALUpdated a year ago
Assume role in AWS SDK for ABAP when using IAM Anywhere
Mark
asked 10 months ago
I am facing a problem while using SAP ABAP Assistant plug-in in Eclipse , it is showing - Error: No Value Present
Accepted Answer
Rutul
asked a year ago
Integration with SAP ERP using native AWS services (ESB)
Claudio Hermosilla
asked 2 years ago
Can I increase the duration of the IAM role chaining session?
AWS OFFICIALUpdated 8 months ago
How do I collect the data needed by AWS Support to troubleshoot issues with my SLES for SAP High Availability Cluster?
AWS OFFICIALUpdated 3 years ago
How can I delegate OpenSearch Service access across AWS accounts using IAM roles?
AWS OFFICIALUpdated 3 years ago
Why can't I use an IAM role for the service account in my Amazon EKS Pod?
AWS OFFICIALUpdated a year ago