Credential-Based Authentication in AEM as a Cloud Service

Adobe Experience Manager (AEM) as a Cloud Service supports credential-based authentication for CDN integrations. This ensures secure communication between your CDN and Adobe’s managed edge network, as well as controlled access and cache management.

Why Credentials Are Needed

When you use a customer-managed CDN or require restricted access, credentials are used to:

• Authenticate trusted CDNs using edge keys
• Authorize cache purge requests
• Enable basic authentication for restricted areas

Key Configuration Elements

Feature	Description
Edge Key	Authenticates customer-managed CDN traffic to Adobe’s edge network using secrets like ${{CDN_EDGEKEY}}.
Purge Token	Allows authorized cache purge requests with credentials like ${{CDN_PURGEKEY}}.
Basic Auth	Enables username-password access control for preview or restricted areas.

Sample Configuration

kind: "CDN"
version: "1"
metadata:
  envTypes: ["publish"]
data:
  authentication:
    authenticators:
      - name: edge-auth
        type: edge
        edgeKey1: ${{CDN_EDGEKEY_NEW}}
    rules:
      - name: edge-auth-rule
        when:
          reqProperty: tier
          equals: "publish"
        action:
          type: authenticate
          authenticator: edge-auth

Best Practices

• Store credentials as environment secrets, not in plain text.
• Rotate keys safely by using dual key entries (e.g., edgeKey1 and edgeKey2).
• Use basic auth only for light access control, not for full user login systems.
• Ensure CDN requests include headers like X-AEM-Edge-Key and X-Forwarded-Host.

Generate and manage your own purge keys 

AEM as a Cloud Service allows you to generate and manage your own purge keys through the self-service configuration process. These keys authenticate cache purge requests at the CDN layer, ensuring that only authorized users or systems can clear cached content.

How It Works

1. Define secret keys in AEM as cloud : [Secret Type env. variables with complex format]

   For e.g. CDN_PURGEKEY_CURRENT, CDN_PURGEKEY_PREVIOUS

2. In your AEM project, create or update a cdn.yaml file under your /config folder. Define a purge authenticator that references your purge key stored as an environment secret:

kind: "CDN"
version: "1"
metadata:
  envTypes: ["publish"]
data:
  authentication:
    authenticators:
      - name: purge-auth
        type: purge
        purgeKey1: ${{CDN_PURGEKEY_CURRENT}}
        purgeKey2: ${{CDN_PURGEKEY_PREVIOUS}}

3. Deploy the configuration through Cloud Manager.
4. Use the generated key in your purge API calls to invalidate cached content.

Best Practices

• Rotate purge keys periodically for security.
• Keep at least two keys (purgeKey1 and purgeKey2) active during rotation.
• Store all keys as environment secrets in Cloud Manager, never in plain text.

This self-service model provides flexibility and security, allowing organizations to control when and how cache purges occur across environments.

 

Summary

Credential-based authentication secures how your CDN interacts with AEM’s edge delivery system. With proper configuration of edge keys, purge tokens, and basic auth, you can ensure safe, authenticated, and controlled content delivery in AEM as a Cloud Service.

Tags: AEM Cloud, Adobe Experience Manager, CDN Authentication, Edge Key, Purge Token, Basic Auth, AEM Security, Content Delivery