App Builder

Dmytro_Panchenk · 6/18/23

Hi, I created an Asset Compute worker as shown in the tutorials, and it works when I call it from http://localhost:9000/. Now I am trying to call it from AEM by configuring the processing profile and specifying the worker URL from aio app get-url.

When I upload an asset, I see that AEM is trying to call the worker but then I see the following in the logs:

*INFO* [sling-cq-asset-processing-4-adobe-io-assetcompute-events-consuming-job] com.adobe.cq.assetcompute.impl.event.AssetComputeRenditionEventImpl Asset Compute worker failed to generate rendition for asset [...REDACTED...], processingId: '7c09d411-ef92-4a6c-8616-b734f4354bf0', Reason: 'GenericError', Message: 'Call to custom worker https://[...REDACTED...]-stage.adobeioruntime.net/api/v1/web/dx-asset-compute-worker-1/worker failed with : 401 Unauthorized'.

In the runtime logs, I see the following:

2023-06-18T06:12:35.014Z stdout: 2023-06-18T06:12:35.013Z [main /adobeio/shared-validators-v1/headless-v2] info: Calling the main action
2023-06-18T06:12:35.501Z stdout: 2023-06-18T06:12:35.501Z [main /adobeio/shared-validators-v1/headless-v2] info: 401: request is invalid, reason: failed authorization. Please verify your token and organization id.

Can someone suggest how that can be resolved? The tutorials don't mention configuring any authentication information on the AEM side. Does it have to do with the settings in "Adobe IMS Technical Account Configuration" for Asset Compute?

Dmytro_Panchenk · 6/18/23

Update: I don't know whether it is an expected behavior or not, but updating the "Adobe IMS Technical Account Configuration" for Asset Compute helped. There was already a configuration created for the default runtime, and I used another runtime that I created specifically for my investigation, so I had to update the config.

I wonder if AEM can work with two different Adobe IO runtimes.

yeedg · 6/20/23

The Asset Compute configuration "Adobe IMS Technical Account Configuration" is where the standard AEM rendition requests go to. The error "401: request is invalid, reason: failed authorization. Please verify your token and organization id." means that the Runtime action deployed at https://[...REDACTED...]-stage.adobeioruntime.net/api/v1/web/dx-asset-compute-worker-1/worker is not in the same Org as that of the configured AEM instance.

webera · 6/13/25

Hi together,
HI @Dmytro_Panchenk @yeedg ,

we have the same issue.

Our App Builder Project and the AEM is in the same Org.

How exactly did you @Dmytro_Panchenk update the Asset Compute "Adobe IMS Technical Account Configuration"? I can't edit the default configuration. I can create a new "Adobe IMS Technical Account Configuration" but I don't know how this would be used to authenticate against the worker?

Someone has an idea on how to solve this?

Thanks
Anian

webera · 6/13/25

If we set "require-adobe-auth" to false in the ext.config.yaml the worker runs successfully. So it seems like, that AEM can't authenticate against App Builder.

tmj · 6/13/25

We recommend setting the `require-adobe-auth` to `true`. It could be returning an error because the tech account used in AEM may not have the correct product profiles.

Here's what you can do to confirm/fix -

Find the tech account ID used in AEM.
1. You can try logging the access token and inspecting it for the `sub` claim. To verify, go to the Developer console and use the project filters to fetch the project containing the tech account ID. If the project matches the AEM program, you are good.
2. Alternatively, you can try to guess the project based on the AEM program name. Open the project and go to the OAuth Server-to-Server credential overview page. Note the technical account id mentioned there.
Find the product profiles needed -
1. Go to the App Builder project and workspace that was used to develop and deploy the asset compute worker.
2. Go to the OAuth Server-to-Server credential overview page in that workspace. Note the product profiles mentioned there. These are the profiles you have used in your asset compute worker.
Assign product profiles -
1. A system admin needs to go to the Admin Console. Go to Users > API credentials
2. Find the tech account ID from step 1 in that list and click on the magnifying glass icon for the tech account.
3. Click the three-dot overflow menu next to products. Click on Edit API credential
4. Once the modal opens, click on the + sign and assign all the product profiles from step 2.

Admin Console > Users > API credentialsView details > Edit API credentials