Calling all SAP ABAP developers — You are invited to the Amazon Bedrock Party!

3 days ago 10

Introduction

For more than a decade, Amazon Web Services (AWS) has enabled customers to modernize their businesses. AWS provides simplified, API-based access to a range of services, including Networking, Compute, Analytics, Messaging, Security and Identity, Mobile Services and Generative AI. These services allow customers to experiment and innovate at faster pace, without requiring a heavy upfront commitment. By offering a comprehensive suite of cloud-based services, AWS enables customers to focus on their core business objectives while benefiting from the scalability, reliability, and security of the AWS platform. This approach has helped countless organizations modernize their operations, drive innovation, and gain a competitive edge in their respective industries.

Integrating ABAP systems and AWS services has traditionally been challenging due to differences in authentication and data formatting. To address this, AWS developed the AWS SDK for SAP ABAP, empowering ABAP developers to natively connect to over 240 AWS services and modernize their SAP business processes using the ABAP programming language. The AWS SDK for SAP ABAP enables customers to:

Accelerate business process innovation by giving ABAP developers access to all 240+ AWS services
Reduce architectural complexity by eliminating the need to manually create complex integrations between SAP and AWS services, in both self-managed and RISE with SAP deployments
Maintain a strong security posture by encrypting all payloads with HTTPS and enforcing SAP-level permissions

In this blog, we will cover how ABAP developers can quickly provision an SAP sandbox system in AWS utilizing SAP’s ABAP Cloud Developer 2022 Trial docker image, install the AWS SDK for SAP ABAP and start experimenting with over 240 AWS services. This blog also provides sample code to integrate SAP ABAP with Amazon Bedrock, AWS fully managed services providing API-based access to various high-performing foundation models (FMs) from leading AI companies. Among these is Amazon Nova, a next-generation state-of-the-art (SOTA) foundation model available exclusively through Amazon Bedrock, delivering cutting-edge intelligence with industry-leading price-performance.

Why AWS for SAP ABAP Development?

Before learning how to deploy an SAP docker image on AWS, let’s first review why ABAP developers should leverage AWS services to solve their business challenges.

Cost-effectiveness: With AWS, you only pay for the resources you actually use, reducing unnecessary costs for developers and businesses alike.

Scalability: AWS allows you to easily scale resources up or down depending on the needs of your ABAP applications, ensuring optimal performance at any stage of development.

Flexibility: Whether you’re developing, testing, or running production workloads, AWS makes it simple to deploy multiple instances of the ABAP Cloud Developer Trial 2022, including via SAP’s Docker image for fast setup.

Security: The AWS SDK for SAP ABAP offers multiple layers of security, including robust authentication and fine-grained access control. It supports IAM roles for managing permissions, with integration into SAP’s own authorization framework. This allows administrators to map logical IAM roles to SAP user roles, ensuring that users have the least privilege necessary for their tasks. Additionally, the SDK supports secure operations through HTTPS, encryption, and certificate-based authentication with IAM Roles Anywhere for systems outside AWS

Integration: The AWS SDK for SAP ABAP provides access to over 240 AWS services, allowing developers to integrate cloud-native functionalities into their ABAP environments. These include top services like Amazon S3 for scalable storage, Amazon SQS for messaging, Amazon SNS for notifications, Amazon Textract for document analysis, and Amazon Rekognition for image and video recognition. Another key AWS service supported is Amazon Bedrock, enabling ABAP developers to utilize advanced generative AI models.

Deploying the ABAP Cloud Developer Trial on AWS

There are multiple ways to deploy infrastructure on AWS cloud. On this blog we will focus on using the AWS Command Line Interface (CLI) to programmatically deploy a Windows Server instance that will be used as a bastion host and an Amazon Linux instance that will host the SAP docker image.

Requirements:

To deploy the solution in this blog, you will require:

An AWS account: Follow the Setting Up Your AWS Environment guide to create and configure your account.
IAM User and IAM Roles: Follow the IAM setup steps in the referenced guide and ensure the user has the permissions listed in the Appendix. Verify that all necessary IAM Roles and ABAP profiles have been created to be able to connect to the instances, and run the demo program successfully.
AWS Virtual Private Cloud (VPC): Use an existing Default Virtual Private Cloud (VPC) or create one to ensure proper network configuration for your instances. For more details, see Configure a Virtual Private Cloud.
SSH Key Pair: Generate an SSH key pair to securely access your EC2 instances. You can create a key pair using the Amazon EC2 console. For more information, see Create a key pair using Amazon EC2.

Deploying the Windows Bastion Server

In this blog, we will use AWS CloudShell for deploying the infrastructure. AWS CloudShell is a browser-based shell that provides direct access to AWS services via the command line, pre-configured with tools like the AWS CLI. To access CloudShell, log into the AWS Management Console and then click on the upper-right terminal icon. If you’re new to the console, refer to the Getting Started with the AWS Management Console guide for a detailed introduction.

Tip: Before launching resources, select an AWS Region using the region selector in the AWS Management Console’s top-right navigation bar. Regions affect latency and cost, with prices varying by location. For the lowest costs, use the US East 1 (N. Virginia) region. For more details, see AWS Pricing.

The next step is to select the network for your EC2 instances. To find your VPC ID, open the VPC Dashboard in the AWS Management Console, navigate to Your VPCs, and copy the VPC ID (e.g.,vpc-123abc456) from the list. Keep this ID handy, as it will be used in later steps.

Now that you have the minimum requirements to deploy your ABAP Cloud Developer Trial environment, let’s create the Security Group for your Windows Bastion server. It will authorize the Windows server to connect to the required SAP ports from the ABAP Cloud Developer Trial instance.

Use the below AWS CLI command to create the Security Group:

# aws ec2 create-security-group \ --group-name WIN-HOST-SG \ --description "Security group for Windows host to access ABAP Cloud Developer Trial" \ --vpc-id <your-vpc-id> \ --tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=WIN-HOST-SG}]'

Make sure to replace <your-vpc-id> with your actual VPC ID.

Take Note of the Security Group ID: Navigate to the VPC Dashboard in the AWS Management Console, click on Security Groups, locate the one named WIN-HOST-SG, and copy the Security Group ID (e.g., sg-00x0000000x000000). This ID will be required in subsequent steps.

After successfully creating the Security Group, we will launch our Bastion Host using the Microsoft Windows Server 2025 Full Locale English AMI provided by Amazon, on an m6a.large EC2 instance. It also includes a 50 GB EBS volume for storage, which will be automatically deleted upon termination of the instance.

You will need to specify your Key Pair, Security Group, and Subnet to complete the configuration.

To find your Key Pair, go to the EC2 Dashboard and select Key Pairs under Network & Security; you can use an existing key pair or create a new one.
For the Security Group, navigate to the VPC Dashboard, click on Security Groups, and note the Security Group ID for the one you plan to use.
To locate your Subnet, go to Subnets in the VPC Dashboard and copy the Subnet ID of the desired subnet. These IDs will be required for the setup commands.

# aws ec2 run-instances \ --image-id resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2025-English-Full-Base \ --instance-type m6a.large \ --key-name <your-key-pair> \ --block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":50,"DeleteOnTermination":true}}]' \ --security-group-ids <your-windows-security-group-id> \ --subnet-id <your-subnet-id> \ --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=Bastion-Host}]'

Make sure to replace <your-subnet-id> with the ID of your Private Subnet, <your-key-pair> with your Key Pair, and <Bastion-Host-security-group-id> with the Security Group ID (not Name).

Launching the ABAP Cloud Developer Trial Host

Before launching the EC2 instance that will host the SAP ABAP system, let’s start by creating the Security Group for your SAP ABAP host and authorizing access to the necessary SAP ports. These ports will be accessible from the Security Group we previously created for the Bastion Host. This setup ensures it can connect securely to your SAP ABAP instance for development and management tasks.

# aws ec2 create-security-group \ --group-name SAP-ABAP-SG \ --description "Security group for ABAP Cloud Developer Trial access" \ --vpc-id <your-vpc-id> \ --tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=SAP-ABAP-SG}]'

Make sure to replace <your-vpc-id> with your actual VPC ID.

Take Note of the Security Group ID: Navigate to the VPC Dashboard in the AWS Management Console, click on Security Groups, locate the one named SAP-ABAP-SG, and copy the Security Group ID (e.g., sg-00x0000000x000000). This ID will be required in subsequent step to authorize traffic from the Windows Bastion host to it with the following commands:

# aws ec2 authorize-security-group-ingress \ --group-id <SAP-ABAP-SG-security-group-id> \ --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 3200, "ToPort": 3200, "UserIdGroupPairs": [{"GroupId": "<Bastion-Host-security-group-id>", "Description": "SAPGUI Instance 00"}]}]'

Make sure to replace <SAP-ABAP-SG-security-group-id> and <Bastion-Host-security-group-id> with your actual Security Group ID for the SAP ABAP instance (i.e.: SG ID: sg-00x0000000x000000).

Now we’ll launch an r6a.xlarge EC2 Instance with a 150GB EBS volume that will host our Docker image. The instance runs Amazon Linux 2023:

Note: To check available instance types in your selected region, refer to the Find an Amazon EC2 instance type guide.

# aws ec2 run-instances \ --image-id resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64 \ --instance-type r6a.xlarge \ --key-name <your-key-pair> \ --block-device-mappings '[{"DeviceName":"/dev/xvda","Ebs":{"VolumeSize":150,"DeleteOnTermination":true}}]' \ --security-group-ids <your-SAP-ABAP-SG-security-group-id> \ --subnet-id <private-subnet-id> \ --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=ABAP-Cloud-Dev-Trial-Instance}]' \ --user-data '#!/bin/bash yum update -y yum install docker -y sudo service docker start sudo usermod -a -G docker ec2-user docker pull sapse/abap-cloud-developer-trial:ABAPTRIAL_2022_SP01'

Don’t forget to modify the following parameters with your own values:

<your-key-pair>
<your-SAP-ABAP-SG-security-group-id>
<your-vpc-id>
<private-subnet-id>

This User Data script updates the instance, installs Docker, starts the service, and adds permissions for the EC2 user to run Docker commands. It then pulls the ABAP Cloud Developer Trial Docker image, which may take around 30 minutes due to the size of the docker image. Once complete, your instance will be ready to run SAP ABAP in Docker.

Run the following command to retrieve the SAP instance’s private IP address. Be sure to take note of this IP, as you’ll need it later to access the SAP system:

# aws ec2 describe-instances \ --filters "Name=tag:Name,Values=ABAP-Cloud-Dev-Trial-Instance" \ --query "Reservations[].Instances[].PrivateIpAddress" \ --output text

To connect to the Amazon Linux host, on the AWS Console, navigate to EC2 → Instances (running) and select the ABAP-Cloud-Dev-Trial-Instance. Click on Connect → Session Manager → Connect.

Note: Session Manager has an idle session timeout value of 20 minutes per default. To increase that value (maximum of 60 minutes) refer to the AWS documentation Specify an idle session timeout value.

To monitor the status of the docker pull command, you can check the log file /var/log/cloud-init-output.log inside the Amazon Linux host.

# tail -f /var/log/cloud-init-output.log

The Docker pull command will be complete a similar message as below is displayed in the log file.

Digest: sha256:8980d8fe17073ee1427ec1ae3fbd5cde7db0a9bc613efa6aea6ce9f179e38b96 Status: Downloaded newer image for sapse/abap-cloud-developer-trial:ABAPTRIAL_2022_SP01 docker.io/sapse/abap-cloud-developer-trial:ABAPTRIAL_2022_SP01 Cloud-init v. 22.2.2 finished at Mon, 25 Nov 2024 16:39:05 +0000. Datasource DataSourceEc2. Up 776.09 seconds

Note: The console output shown here is an example. The actual output may differ slightly based on your environment, system configuration, or the specific Docker image version being pulled.

To start the system, you’ll need to accept the SAP DEVELOPER License, which appears when the Docker container starts. On the Amazon Linux host. To avoid issues in case your session disconnects, execute the command through screen.

First, install the screen utility on the Amazon Linux host with the below command:

Then, run the following commands to accept the license in a screen session. This allows the process to continue running in the background:

screen -l docker run --sysctl kernel.shmmax=21474836480 --sysctl kernel.shmmni=32768 --sysctl kernel.shmall=5242880 --sysctl kernel.msgmni=1024 --sysctl kernel.sem="1250 256000 100 8192" --ulimit nofile=1048576:1048576 --stop-timeout 3600 -it --name a4h -h vhcala4hci -p 3200:3200 -p 3300:3300 -p 8443:8443 -p 30213:30213 -p 50000:50000 -p 50001:50001 -p 8000:8000 sapse/abap-cloud-developer-trial:ABAPTRIAL_2022_SP01 -skip-limits-check -agree-to-sap-license To exit screen, press the keys: ctrl + A + D

Running the command with screen will ensure that the system is not stopped in case your session is interrupted. You’ll see a message similar to this:

Now that your SAP instance is up and running, it’s time to connect to it via your Bastion Host. To do this, we’ll use Fleet Manager. Fleet Manager is an AWS Systems Manager capability that lets you securely manage and interact with your Windows Server Amazon Elastic Compute Cloud (Amazon EC2) instances using the Remote Desktop Protocol (RDP). On the AWS Console, navigate to EC2 → Instances (running) and select the Bastion-Host instance. Click on Connect → RDP Client. Under Connection Type select Connect Using Fleet Manager.
To retrieve the Administrator password, click Get Password and upload the security key pair you generated at the start of this guide. This will decrypt the password, allowing you to access the Windows instance. When prompted, log in to your instance with the specified username and password.

For more information, see Setting up your environment in the AWS Systems Manager User Guide.

After connecting to your Bastion Host, the next step is to install the SAP Frontend (SAP GUI for Windows) as you would typically do. Begin by accessing the SAP Software Center to obtain the latest version of SAP GUI. Download the installation package from the SAP Frontend Components category section, and once it’s downloaded, proceed with the installation on your machine. Once the installation is complete, add your SAP ABAP instance entry to the SAP GUI to connect to your SAP environment. To do this, add a custom-specified system and set the Application Server to the SAP ABAP instance’s private IP address that you previously retrieved using the command line or alternatively use vhcala4hci if you’ve updated your Windows hosts file. Set the Instance to 00 and the SID to A4H. For detailed instructions, refer to the latest SAP Frontend Installation Guide and the Docker documentation.

Updating the License via SAP GUI (SLICENSE)

To connect to your SAP instance and update your license, you can check the license’s expiry date using the transaction SLICENSE in SAP GUI. The ABAP license that comes with the Docker image is valid for only three months. It’s a good idea to set a reminder to update your license before it expires to avoid interruptions. Follow these steps to download and import the demo license:

Log in to your ABAP system with the user SAP*, client 000, using the same password as for DEVELOPER (note that DEVELOPER, client 001, is locked). The password is specified in the Cloud ABAP Developer Trial Docker documentation.
Start transaction SLICENSE and copy the hardware key.
Obtain the license from MiniSAP, selecting the system A4H.
Return to your SAP ABAP system, start SLICENSE again, and click on Install to import the new license.
Log off, then log in with the user DEVELOPER, client 001.
Start SLICENSE once more and remove the old, invalid licenses (note that SAP* is not allowed to delete licenses).

Activate TMS configuration (STMS)

To enable transport imports, you need to activate the TMS configuration. User passwords are specified in the Cloud ABAP Developer Trial Docker documentation.

Log in to the system using the username DEVELOPER
Navigate to transaction code STMS, then go to Overview > Imports.
Select Environment > System Overview.
Click on Extras > Distribute and Activate Configuration.
Your SAP system is now ready to import transports.

Getting Started with AWS SDK for SAP ABAP

Installation and Setup

In the Amazon Linux host, install the AWS SDK for SAP ABAP using sample scripts from the AWS Labs public GitHub repository, awslabs/aws-sap-automation. These scripts, under the AWS SDK for SAP ABAP installer @ SAP ABAP Cloud Developer Trial Edition feature, automate the setup of Docker and the SAP ABAP environment. For a detailed breakdown of the script contents and steps, refer to the README.md file in the GitHub folder.

Run the following commands on the ABAP Cloud Developer Trial instance:

# cd /tmp # wget https://github.com/awslabs/aws-sap-automation/blob/main/abapsdk_abap_cloud_developer_trial/aws-sap-dockersetup.sh # chmod +x aws-sap-dockersetup.sh # ./aws-sap-dockersetup.sh docker_setup # CONTAINER_ID=$(docker ps -q) # docker exec -it $CONTAINER_ID sudo su - a4hadm -c '/tmp/aws-sap-dockersetup.sh sap_setup'

Note: This script performs a tp import all command to import all transports from the AWS SDK for SAP ABAP into the system at once. If you’re adapting this script for a system other than the ABAP Cloud Developer Trial system, make sure your SAP import queue is clear before running the script.

In the aws-sap-dockersetup.sh script, the tla_values variable specifies the modules to be imported into the SAP system. By default, it includes a preselected list of modules for some of the most commonly used AWS services. You can customize this list to include only the modules relevant to your needs. Refer to the AWS SDK for SAP ABAP Module List for the full list of available modules. Alternatively, you can proceed with the default modules specified in the script.

Once the AWS SDK for SAP ABAP has been installed, make sure that it is configured according to the AWS documentation, For further details, refer to Configuring AWS SDK for SAP ABAP and Getting started with the AWS SDK for SAP ABAP.

Sample Use Case: Integrating with Amazon Bedrock

Before integrating your SAP ABAP system with Amazon Bedrock, ensure you have requested access to the foundation model(s) you plan to use. In the AWS Console, navigate to Bedrock → Bedrock Configurations → Model Access. Select the base models you want to use, check their Access Status, and click Available to request until they show as “Access granted.”

For more details, refer to Access Amazon Bedrock foundation models.

Note: Make sure you review the End-user License Agreement or EULA before using 3rd party FMs.

The ABAP code sample below demonstrates how to communicate with Amazon Bedrock using the SE38 transaction in your SAP ABAP system. This demo leverages Amazon Nova Micro, a text-only model from the Amazon Nova family. With low latency, high performance in tasks like language understanding, reasoning, and code completion, and a generation speed of over 200 tokens per second, Nova Micro is ideal for applications requiring fast, cost-effective responses.

*&---------------------------------------------------------------------* *& Report ZAWS_BEDROCK_DEMO *&---------------------------------------------------------------------* REPORT ZAWS_BEDROCK_DEMO LINE-SIZE 255. PARAMETERS: sdkpfl TYPE /aws1/rt_profile_id OBLIGATORY DEFAULT 'DEMO', modelid type /aws1/bdrconversationalmodelid OBLIGATORY default 'us.amazon.nova-micro-v1:0' LOWER CASE. DATA av_prompt(255). DATA av_linno TYPE i. CLASS lc_conversation DEFINITION. PUBLIC SECTION. METHODS constructor. METHODS write. METHODS prompt. PRIVATE SECTION. DATA ao_bdr TYPE REF TO /aws1/if_bdr. DATA at_messages TYPE /aws1/cl_bdrmessage=>tt_messages. METHODS write_multiline IMPORTING iv_text TYPE clike. METHODS append_message IMPORTING iv_role TYPE string iv_text TYPE clike. ENDCLASS. CLASS lc_conversation IMPLEMENTATION. METHOD constructor. TRY. DATA(lo_session) = /aws1/cl_rt_session_aws=>create( sdkpfl ). ao_bdr = /aws1/cl_bdr_factory=>create( lo_session ). CATCH /AWS1/CX_RT_SERVICE_GENERIC INTO DATA(lo_ex). WRITE : / lo_ex->get_text( ) COLOR COL_NEGATIVE. ENDTRY. ENDMETHOD. METHOD write. FORMAT RESET. SET BLANK LINES ON. IF lines( at_messages ) > 0. WRITE: / 'Conversation history' COLOR COL_HEADING. LOOP AT at_messages INTO DATA(lo_msg). DATA(lt_content) = lo_msg->get_content( ). DATA(lo_content) = lt_content[ 1 ]. " assume just one text stanza IF lo_msg->get_role( ) = 'user'. FORMAT color COL_TOTAL. ELSE. FORMAT color COL_NORMAL. ENDIF. write_multiline( lo_content->get_text( ) ). ENDLOOP. ULINE. ENDIF. WRITE: / 'Enter your next prompt and press F8:' COLOR COL_HEADING. CLEAR av_prompt. WRITE / av_prompt INPUT ON. av_linno = sy-linno. * Scroll down to command field DATA line TYPE i. line = sy-linno - sy-srows + 3. SCROLL LIST INDEX 1 TO LAST PAGE LINE line. SET CURSOR FIELD 'CMD' LINE sy-linno. CLEAR sy-lsind. ENDMETHOD. METHOD write_multiline. DATA: lv_text TYPE string, lv_remaining TYPE string, lv_line TYPE string, lv_width TYPE i. lv_width = sy-scols - 2. SPLIT iv_text AT cl_abap_char_utilities=>newline INTO TABLE DATA(lt_text). LOOP AT lt_text ASSIGNING FIELD-SYMBOL(<text>). lv_remaining = <text>. WHILE strlen( lv_remaining ) > 0. IF strlen( lv_remaining ) <= lv_width. WRITE: / lv_remaining. CLEAR lv_remaining. ELSE. DATA(lv_pos) = lv_width. WHILE lv_pos > 0. IF lv_remaining+lv_pos(1) CA ' '. lv_line = lv_remaining(lv_pos). lv_remaining = lv_remaining+lv_pos. SHIFT lv_remaining LEFT DELETING LEADING space. EXIT. ENDIF. lv_pos = lv_pos - 1. ENDWHILE. IF lv_pos = 0. lv_line = lv_remaining(lv_width). lv_remaining = lv_remaining+lv_width. ENDIF. WRITE: / lv_line. ENDIF. ENDWHILE. ENDLOOP. ENDMETHOD. METHOD append_message. APPEND NEW /aws1/cl_bdrmessage( iv_role = iv_role it_content = VALUE /aws1/cl_bdrcontentblock=>tt_contentblocks( ( NEW /aws1/cl_bdrcontentblock( iv_text = CONV string( iv_text ) ) ) ) ) TO at_messages. ENDMETHOD. METHOD prompt. READ LINE av_linno FIELD VALUE av_prompt. DATA lo_ex TYPE REF TO cx_root. append_message( iv_role = 'user' iv_text = av_prompt ). TRY. DATA(lo_result) = ao_bdr->converse( EXPORTING iv_modelid = modelid it_messages = at_messages io_inferenceconfig = NEW /aws1/cl_bdrinferenceconf( iv_maxtokens = 2000 ) ). DATA(lt_blocks) = lo_result->get_output( )->get_message( )->get_content( ). LOOP AT lt_blocks ASSIGNING FIELD-SYMBOL(<block>). append_message( iv_role = 'assistant' iv_text = <block>->get_text( ) ). ENDLOOP. CATCH /aws1/cx_bdrresourcenotfoundex INTO lo_ex. WRITE : / lo_ex->get_text( ) COLOR COL_NEGATIVE. CATCH /aws1/cx_bdrvalidationex INTO lo_ex. WRITE : / lo_ex->get_text( ) COLOR COL_NEGATIVE. WRITE: / 'It may not be available in this region'. CATCH /aws1/cx_bdraccessdeniedex INTO lo_ex. WRITE : / lo_ex->get_text( ) COLOR COL_NEGATIVE. WRITE: / 'You will need to go to the Bedrock console and select the "Model Access" feature to request access to it'. ENDTRY. ENDMETHOD. ENDCLASS. INITIALIZATION. DATA(go_convo) = NEW lc_conversation( ). START-OF-SELECTION. go_convo->write( ). AT PF8. go_convo->prompt( ). go_convo->write( ).

Cost estimate

The following is an approximate breakdown of costs based on AWS North Virginia (us-east-1) pricing assuming 2 hours of daily usage:

EC2 Instances
Bastion Host (m6a.large, Windows Server): $0.1784/hour. Cost: ~$0.36/day or ~$10.70/month.
SAP ABAP Host (r6a.xlarge, Linux): $0.2268/hour. Cost: ~$0.45/day or ~$13.61/month.

EBS Volumes
Windows Host (50 GB): $0.08/GB/month. Cost: $4.00/month.
SAP ABAP Host (150 GB): $0.08/GB/month. Cost: $12.00/month.

Data Transfer
Data Transfer Out: The first 1 GB is free. Total cost: $0.00.

Cost Estimate with Amazon Bedrock (Example)

If you use the AWS SDK for SAP ABAP to integrate with Amazon Bedrock, the cost depends on the number of input and output tokens processed by the chosen foundation model. This example assumes processing 500,000 input tokens and 250,000 output tokens per month with a foundation model like Amazon Nova Micro:

Input Tokens (500,000): $0.000035/1,000 tokens. Cost: $0.0175/month.
Output Tokens (250,000): $0.00014/1,000 tokens. Cost: $0.035/month.
Total: $0.0525 /month.

Note: For details on tokenization and how tokens are calculated, refer to the Amazon Bedrock Pricing and the Tokenization Guide.

Total (30 days, 3 hours/day):

EC2 Instances: ~$24.31.
EBS Storage (Monthly): $16.00.
Data Transfer Out: $0.00.
Amazon Bedrock: $0.0525.

Monthly Total: ~$40.36.

Note: Actual costs may vary based on usage patterns and AWS pricing updates. Always refer to the AWS Pricing Calculator for the most accurate estimates.

Clean Up

To avoid unnecessary charges, clean up the deployed resources:

Terminate EC2 Instances and remove unused EBS Volumes: Use the EC2 Dashboard to terminate instances, stopping compute charges. Ensure any attached EBS volumes are deleted if no longer needed.

Delete Key Pair: If a key pair was created, remove it from the EC2 Dashboard under Key Pairs.

Delete NAT Gateway (if created): If using a custom VPC with a NAT Gateway for patch downloads, delete it via the VPC Dashboard to stop hourly and data transfer charges.

Note: NAT Gateways incur hourly and data transfer costs. Learn more in the NAT Gateway Pricing Guide.

Conclusion

The AWS SDK for SAP ABAP allows ABAP developers to tap into 240+ AWS services to solve business problems. Utilizing SAP’s ABAP Cloud Developer Trial system in conjunction with the AWS SDK for SAP ABAP is a quick and easy way to get started on extending your SAP systems with AWS.

Deploying the ABAP Cloud Developer Trial on AWS has never been easier, thanks to the flexibility of AWS EC2 instances and the convenience of Docker. With just a few steps, you can set up a scalable and secure ABAP environment, ready for development. Additionally, the AWS SDK for SAP ABAP enhances your ABAP applications by providing seamless integration with over 240 AWS services, unlocking new possibilities for automation, AI, and more.

Now is the perfect time to begin your own SAP ABAP deployment on AWS. Get started today by following the documentation and resources provided by AWS, and explore the powerful tools at your disposal. For more hands-on labs and examples, check out our AWS SDK for SAP ABAP Workshop. You’ll find samples for integrating with services like Amazon S3, Amazon SNS, Amazon Textract, AWS Lambda, and Amazon DynamoDB.

Appendix

IAM Permissions for Your Admin User

Once you’ve created your first Admin user (refer to the Requirements section, where you set up an IAM user, assign them the AdministratorAccess AWS-managed policy. This grants full access to AWS services and resources, enabling them to manage your environment effectively. For detailed steps, refer to Policies and permissions in AWS Identity and Access Management.

Note: While the AdministratorAccess policy is convenient for initial setup, following the principle of least privilege is the best practice. Only grant permissions necessary for specific tasks to enhance security in your AWS environments.

IAM Permissions for Your ABAP Cloud Developer Trial

With the SDK for SAP ABAP, SAP authorizations can be mapped directly to IAM roles using profiles that group technical settings for specific scenarios. An ABAP SDK profile defines the settings required for a specific application scenario. You can create as many SDK profiles as needed to match different user profiles or application scenarios. In our blog demo, we’ll create a profile called ZBEDROCK to demonstrate how this simplifies authorization and integrates with AWS services. For more details, visit AWS SDK for SAP ABAP Application Configuration.

Note: While these profiles manage user-level permissions, the EC2 instance running the ABAP Cloud Developer Trial requires its own IAM role. This instance role allows the EC2 instance to assume user profile roles (like ZBEDROCK), enabling secure interaction with AWS services.

To create a user profile IAM role for accessing Amazon Bedrock services, start by navigating to the IAM Console. Create a new role and name it ZBEDROCK. Assign the managed policy AmazonBedrockFullAccess to this role. This policy ensures that the role has the necessary permissions to interact with Amazon Bedrock in a read-only capacity. Now, navigate to the Trust Relationships section and use the JSON visual editor to add the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111111111111:root" }, "Action": "sts:AssumeRole" } ] }

Note: Make sure to replace 111111111111 with your actual AWS Account ID. You can find your AWS Account ID in the top right corner of the AWS Management Console, under your account name or email address.

On your SAP instance, you must also create an ABAP SDK profile that matches this IAM role. This ABAP profile should be configured to align with the ZBEDROCK role, enabling authorization mapping. Refer to Step 2.3 of the Getting started with the AWS SDK for SAP ABAP blog for detailed guidance on the application configuration process.

Now that we have created the functional user role, the next step is to create the IAM role that will allow the ABAP Cloud Developer Trial EC2 instance to assume the ZBEDROCK role. Begin by creating a new IAM role named abapcloudrole. In the Add Permissions section, attach the managed policy AmazonSSMManagedInstanceCore. This policy enables the EC2 instance to use AWS Systems Manager, allowing you to connect to the instance through AWS Session Manager without needing SSH access. After saving the role, return to the main IAM console and select the newly created abapcloudrole. Next, in the Add Permissions section, click the Create Inline Policy button. Open the JSON editor tab and manually input the following policy to allow the EC2 instance to assume the ZBEDROCK role, name the policy, and save the changes. This completes the setup of the abapcloudrole.

{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::111111111111:role/zbedrock" ], "Effect": "Allow" } ] }

Once the role is created, open AWS CloudShell in your AWS Management Console and run the following commands to attach the newly created abapcloudrole to your ABAP Cloud Developer. First, we’ll identify the Instance ID associated with your ABAP Cloud Developer Trial Instance:

# aws ec2 describe-instances \ --query "Reservations[].Instances[].{InstanceId:InstanceId,Name:Tags[?Key=='Name']|[0].Value,PrivateIp:PrivateIpAddress,State:State.Name}" \ --output table

You will see a table listing all your stopped and running EC2 instances, including their Instance IDs, tags, private IP addresses, and states. Locate the entry for your ABAP Cloud Developer Trial Instance and take note of its Instance ID. It should look similar to this: i-00000000x0xxxx000.

--------------------------------------------------------------------------------------------------- | DescribeInstances | +---------------------+-----------------------------------------------+---------------+-----------+ | i-00000000x0xxxx000| ABAP-Cloud-Dev-Trial-Instance | 10.0.0.21 | running | | | i-00000000x0xxxx001| Bastion-Host | 10.0.0.22 | running | | +---------------------+-----------------------------------------------+---------------+-----------+

Once you have the Instance ID, use the following command to attach the abapcloudrole IAM role to your instance:

# aws ec2 associate-iam-instance-profile \ --instance-id i-00000000x0xxxx000 \ --iam-instance-profile Name=abapcloudrole

Note: Replace i-00000000x0xxxx000 with the actual Instance ID you identified in the previous step.

IAM Permissions for Your Windows Bastion Host

Create a new IAM role named winbastionrole. In the Add Permissions section, attach the AWS-managed policy AmazonSSMManagedInstanceCore. This policy allows the EC2 instance to use AWS Systems Manager, enabling secure connections through AWS Session Manager without requiring SSH access. It also grants access to Fleet Manager, allowing you to manage and monitor your Windows Bastion Host efficiently through a centralized console.

How to Stop and Start Your ABAP Cloud Developer Trial System

Stopping the SAP System

To stop the SAP container gracefully, run the following command:

# docker stop -t 7200 a4h

Starting the SAP System

Restarting a stopped SAP container requires interactive mode to address potential issues during startup. Use this command:

Note: -a ensures you can view the container’s output. -i allows you to interact and respond to any startup issues. By attaching to the container, you can monitor the system’s startup process and troubleshoot effectively if needed.

Read Entire Article