As enterprises increasingly adopt SAP Kyma to extend and integrate their SAP landscapes using cloud-native architectures, security becomes a critical pillar for success. SAP Kyma provides a powerful and flexible platform based on Kubernetes, enabling microservices and serverless functions, but this flexibility requires robust security controls—especially around access management and authentication.
This article explores key concepts and best practices for securing access and authentication in SAP Kyma, helping organizations safeguard their applications and data.
Kyma allows developers to deploy multiple microservices, functions, and APIs that interact with SAP systems, cloud services, and third-party applications. These resources often handle sensitive business data, making it essential to:
Without proper security, organizations risk data breaches, compliance violations, and operational disruptions.
SAP Kyma leverages industry-standard protocols OAuth 2.0 and OpenID Connect for authenticating users and services. This enables integration with identity providers (IdPs) such as SAP Identity Authentication Service (IAS), Azure AD, or others.
These protocols allow Kyma services and APIs to verify the identity of requesters securely.
Within Kyma, microservices and serverless functions use Kubernetes service accounts for intra-cluster authentication. These service accounts issue JSON Web Tokens (JWTs) that prove identity when calling other services.
Kyma’s API gateway and Istio service mesh validate these tokens, ensuring that only authorized services communicate.
The Kyma API gateway acts as a gatekeeper for incoming traffic. It:
Istio provides secure service-to-service communication using mutual TLS (mTLS), encrypting traffic between microservices and enforcing access policies.
Kyma leverages Kubernetes RBAC to control which users or service accounts can manage resources (deployments, configurations, secrets) within the cluster. Fine-grained RBAC rules help separate duties and limit privileges.
Securing access and authentication in SAP Kyma is essential to protect sensitive SAP extensions and integrations built on the platform. By adopting standard authentication protocols like OAuth 2.0 and OpenID Connect, leveraging Kubernetes service accounts, and enforcing strict access controls via the API gateway and service mesh, organizations can build a secure, compliant, and resilient SAP Kyma environment.
Following these best practices helps ensure that only authorized users and services interact with your SAP cloud-native applications, preserving trust and enabling safe innovation.