Integrations
Connect AEM as a Cloud Service
How to set up and configure Gradial with Adobe Experience Manager (AEM) as a Cloud Service
Overview
This guide explains how to configure a Technical Account in AEM as a Cloud Service for Gradial integration. By generating Service Credentials and adding the Technical Account to your author group(s), you enable Gradial to interact with AEM for creating Launches, managing content, and other operations. Basic integration steps include:- Creating a Technical Account and downloading credentials
- Providing the credentials to Gradial
- Assigning appropriate permissions to the Technical Account in AEM
AEM Cloud Service Authentication
AEM as a Cloud Service uses Adobe’s Identity Management System (IMS) for authentication:Technical Account
Machine-to-machine communication using service credentials and JWT tokens for authentication. No user intervention required.
Permission-based Access
Access is governed by AEM group memberships that control what operations the Technical Account can perform.
Prerequisites
Before creating a Technical Account, ensure you have the proper access and team coordination:Required Access Roles
- Adobe IMS Org System Administrator - Required to create Technical Accounts
- AEM Administrators IMS Product Profile member - Required for to assign permissions
Team Coordination
Typically, the following teams are involved:- IT/DevOps Team - Usually holds System Administrator privileges for Cloud Manager
- AEM Development Team - Configures user permissions and group memberships
- Security Team - Reviews and approves service account access
Coordinate with your IT and security teams before proceeding. System Administrator access is typically restricted and may require approval workflows.
Integration Steps
1
Create a Technical Account & Download Credentials
Who performs this step: Adobe IMS Org System Administrator (typically IT/DevOps team)
- Log in to Adobe Cloud Manager as a System Administrator for your IMS Org
- Select the Program containing your target AEM environment
- Find the AEM environment, click the ellipsis (…), then select Developer Console
- In the Developer Console, navigate to the Integrations tab
- Select the Technical Accounts tab
- Click Create new technical account
- Once created, expand the Technical Account entry
- Click View to download the service credentials JSON file (often named
service token.json)
CRITICAL: Do not modify the downloaded JSON file in any way. Use the file exactly as provided by Adobe. Any modifications will cause authentication failures.
Keep this file secure and never commit it to source control. Store it according to your organization’s security policies for sensitive credentials.
Limits: Each AEM environment can have up to 10 technical accounts. Service credentials expire every 365 days and will need to be regenerated.
2
Provide Credentials to Gradial
Gradial will:
- Use the
service token.jsonto generate and sign a JWT - Exchange that JWT with Adobe IMS for short-lived access tokens
- Add a Bearer token header to AEM API calls
Share the service token JSON file securely with your Gradial representative.
3
Configure AEM Permissions
Who performs this step: AEM Administrator or user with security administration privilegesThe Technical Account will appear in AEM as a service user after its first authentication request.
Locate the Technical Account User
- In AEM Author, navigate to Tools → Security → Users
- Search for the technical account (format:
[email protected]) - If not visible, the service account needs to authenticate at least once first
Required Permissions
The technical service account requires specific read and write permissions:Read Permissions Required:/apps- Application configurations and components (provided default by the Contributors group)/conf- Configuration settings (allows reading of templates and policies)/content/launches- Launches (allows Gradial to check for an existing launch)/content/<your-website-path>- Access to your website structure/content/cq:tags- Access to your tags to allow for proper tagging of content/libs- System libraries (provided default by the Contributors group)jcr:versionManagementon/content/launches- Required for version control operations on launches
/content/launches- Required Permission: rep:write - for launch-based workflows./content/<your-website-path>- Required Permission: rep:write - Direct content modification/content/dam/<your-dam-path>- Required Permission: rep:write - Allows for asset upload and metadata modification/content/cq:tags- Required Permission: rep:write - Allows for adding and modifying tags
Permission Assignment Options
Option 1: Add to Existing Author Groups- Add the technical account to your standard author group(s)
- This inherits typical author permissions including launch creation and asset management
- Create a new group specifically for technical service accounts
- Assign only the minimum required permissions listed above
- Add additional permissions as needed (e.g., replication rights)
For enhanced security, Option 2 is recommended to follow the principle of least privilege.
Important Notes
- The private key in
service token.jsongenerally expires each year, so you will need to regenerate the Service Credentials JSON before it expires - Access tokens themselves expire frequently; Gradial automatically fetches new tokens using the private key
Reference
For additional information, see these Adobe documentation resources:- AEM Cloud Service Authentication with Service Credentials
- Managing Users and Groups in AEM as a Cloud Service
- AEM Users, Groups and Permissions in Cloud Service
Need Help?
Contact your Gradial representative for additional support with your AEM as a Cloud Service integration.