I would like to establish a user assigned managed identity with my azure subscription which has access to various resources (namely, a keyvault).
How do I configure Federated Identity Credentials on this managed identity such that AEMaaCS can leverage it to communicate with my azure resources?
Alternatively, is there any way to connect AEMaaCS to Azure Services without a Client Secret or pinned Client Certificate?
To connect Adobe Experience Manager as a Cloud Service (AEMaaCS) to Azure services-such as Azure Key Vault-using a user-assigned managed identity and federated identity credentials, you can avoid using client secrets or pinned client certificates by leveraging Azure's workload identity federation features.
Try the below steps -
1. Create a User-Assigned Managed Identity
az identity create --name aem-identity --resource-group my-rg --location eastus
2. Assign the Managed Identity Required Permissions - Give it access to KeyVault for example
az keyvault set-policy --name my-keyvault --object-id <object-id> --secret-permissions get
3. Configure a Federated Identity Credential
In the Azure portal, navigate to your user-assigned managed identity.
4. Configure AEMaaCS to Issue Tokens
But please note IdP guest users (external users on a different domain to the main enterprise) are not supported as IMS federated ID users. Thus, guest/external users cannot be used to authenticate from AEMaaCS to Azure via federated identity credentials.
If you need to allow external users or systems to access Azure resources, you must:
Issue them identities on your claimed domain or
Use a different authentication mechanism (such as service principals with client secrets/certificates, or Azure AD app registrations).
Please go through the below documentation links too -
Hope this helps!
Regards,
Rohan Garg
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.