Creating an API Service Key for CPI Transporter

This guide explains how to create the necessary Service Key in your SAP BTP subaccount. This key allows the CPI Transporter to access and manage your integration artifacts using the API plan of the "Process Integration Runtime" service.

To enable CPI Transporter to deploy and manage integration artifacts, you need a Service Instance of "Process Integration Runtime" with the "api" plan, and a Service Key for that instance.

Steps:
  1. Log in to your SAP BTP Cockpit.
    Navigate to the Subaccount where your Cloud Integration service is enabled.
  2. Navigate to Service Marketplace.
    In your Subaccount, go to Services → Service Marketplace. Search for "Process Integration Runtime".
  3. Create a New Instance.
    Click "Create" on the "Process Integration Runtime" tile.
    • It is recommended to create a new, dedicated instance for CPI Transporter for clear permission separation, even if other instances exist.
  4. Configure the New Instance:
    • Service: Process Integration Runtime
    • Plan: Select the api plan. This is essential. The integration-flow plan is for runtime message processing and will not work for deployment via CPI Transporter.
    • Instance Name: Choose a descriptive name (e.g., CPITransporter_API_Access).
    Click "Next".
  5. Assign Roles (Permissions for API Access):
    To enable all features of the CPI Transporter, the following specific roles must be assigned when creating the service key for the api plan. These roles ensure that the CPI Transporter can manage, deploy, and monitor integration artifacts:
    • WorkspacePackagesEdit - Allows editing of integration packages.
    • WorkspacePackagesConfigure - Allows configuration of integration packages.
    • WorkspaceArtifactsDeploy - Allows deployment of integration artifacts (IFlows, Value Mappings, etc.).
    • AccessAllAccessPoliciesArtifacts - Required for managing access policies related to artifacts.
    • MonitoringDataRead - Allows reading of monitoring data, which is used for connection tests and status checks.
    These roles are typically assigned by providing a JSON configuration during the service instance creation or by ensuring the technical user associated with the service key has a role collection containing these permissions.

    Example JSON for instance parameters (use if direct role assignment is not available in UI):
    {
      "roles": [
        "WorkspacePackagesEdit",
        "WorkspacePackagesConfigure",
        "WorkspaceArtifactsDeploy",
        "AccessAllAccessPoliciesArtifacts",
        "MonitoringDataRead"
      ]
    }
    Ensure these permissions are correctly associated with the service key you create.
    Click "Create" to finish instance creation.
  6. Create Service Key:
    Once the instance is created, find it under "Instances and Subscriptions". Click the three dots (...) next to your instance and select "Create Service Key".
  7. Configure Service Key:
    • Name: Give it a descriptive name (e.g., CPITransporter_API_Key).
    Click "Create".
  8. Copy Credentials:
    The service key (a JSON object) will be displayed. Copy these critical values for configuring CPI Transporter:
    • url (The design-time API endpoint for your CPI tenant, e.g., https://your-tenant-tmn.hci.<region>.hana.ondemand.com)
    • clientid (The OAuth client ID)
    • clientsecret (The OAuth client secret)
    • tokenurl (The OAuth token endpoint, e.g., https://yoursubaccount.authentication.<region>.hana.ondemand.com/oauth/token)
    Store these credentials securely. You will use them when adding a new CPI system in the CPI Transporter application.

    Tip: PLUS+ users can use the "Quick Fill with JSON" feature to automatically populate all fields from the Service Key JSON. Upgrade to PLUS+
By following these steps, you create a service key with the necessary API access permissions for the CPI Transporter.

Connecting to SAP CPI