Enhance Azure Maps integration by implementing user-assigned managed identity and SAS token caching in policies

Author: anotherRedbeard

samples/azure-maps/create.ipynb

@@ -15,21 +15,10 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 25,
+   "execution_count": null,
    "metadata": {},
-   "outputs": [
-    {
-     "name": "stdout",
-     "output_type": "stream",
-     "text": [
-      "👉🏽 \u001b[1;34mResource group name      : apim-infra-simple-apim-1\u001b[0m \n",
-      "\n",
-      "✅ \u001b[1;32mNotebook initialized\u001b[0m ⌚ 22:31:28.796962 \n"
-     ]
-    }
-   ],
+   "outputs": [],
    "source": [
-    "import subprocess\n",
     "import utils\n",
     "from apimtypes import *\n",
     "\n",
@@ -55,7 +44,7 @@
     "map_geocode_v2_aad_get_xml = utils.read_policy_xml('./map_geocode_v2_aad_get.xml')\n",
     "\n",
     "# Map API \n",
-    "mapApi_v2_default_get = GET_APIOperation2('get-default-route','Get default route','/*','This is the default route that will allow all requests to go through to the backend api',map_default_route_v2_aad_get_xml)\n",
+    "mapApi_v2_default_get = GET_APIOperation2('get-default-route','Get default route','/default/*','This is the default route that will allow all requests to go through to the backend api',map_default_route_v2_aad_get_xml)\n",
     "mapApi_v1_async_post = APIOperation('async-geocode-batch','Async Geocode Batch','/geocode/batch/async',HTTP_VERB.POST, 'Post geocode batch async endpoint',map_async_geocode_batch_v1_keyauth_post_xml)\n",
     "mapApi_v2_geocode_get = GET_APIOperation2('get-geocode','Get Geocode','/geocode','Get geocode endpoint',map_geocode_v2_aad_get_xml)\n",
     "api1 = API('map-api', 'Map API', '/map', 'This is the proxy for Azure Maps', operations=[mapApi_v2_default_get, mapApi_v1_async_post,mapApi_v2_geocode_get], tags = tags, serviceUrl=azure_maps_url)\n",
@@ -69,6 +58,7 @@
     "\n",
     "# 4) Set up the named values\n",
     "nvs: List[NamedValue] = [\n",
+    "    NamedValue('azure-maps-arm-api-version','2023-06-01')\n",
     "]\n",
     "\n",
     "utils.print_ok('Notebook initialized')"
@@ -85,23 +75,9 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 27,
+   "execution_count": null,
    "metadata": {},
-   "outputs": [
-    {
-     "name": "stdout",
-     "output_type": "stream",
-     "text": [
-      "⚙️ \u001b[1;34maz group show --name apim-infra-simple-apim-1\u001b[0m \n",
-      "⚙️ \u001b[1;34maz group show --name apim-infra-simple-apim-1\u001b[0m \n",
-      "📝 Updated the policy XML in the bicep parameters file 'params.json'\n",
-      "⚙️ \u001b[1;34maz deployment group create --name simple-apim --resource-group apim-infra-simple-apim-1 --template-file main.bicep --parameters params.json --query \"properties.outputs\"\u001b[0m \n",
-      "👉🏽 \u001b[1;34mAPIM API Gateway URL     : https://apim-w6pw4mtuew6ga.azure-api.net\u001b[0m \n",
-      "\n",
-      "✅ \u001b[1;32mDeployment completed\u001b[0m ⌚ 22:44:24.722798 \n"
-     ]
-    }
-   ],
+   "outputs": [],
    "source": [
     "import utils\n",
     "\n",
@@ -142,129 +118,9 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 28,
+   "execution_count": null,
    "metadata": {},
-   "outputs": [
-    {
-     "name": "stdout",
-     "output_type": "stream",
-     "text": [
-      "\n",
-      "ℹ️ \u001b[1;32mCalling Hello World (Root) API\u001b[0m ⌚ 22:50:43.490816 \n",
-      "👉🏽 \u001b[1;34mGET https://apim-w6pw4mtuew6ga.azure-api.net/\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse status          : \u001b[1;32m200 - OK\u001b[0m\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse headers         :\n",
-      "{'Content-Length': '32', 'Date': 'Thu, 12 Jun 2025 03:50:44 GMT', 'Request-Context': 'appId=cid-v1:788e87f2-9135-4c09-896d-02870631a447'}\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse body            :\n",
-      "Hello World from API Management!\u001b[0m \n",
-      "\n",
-      "ℹ️ \u001b[1;32mCalling Default Route with AAD Auth API\u001b[0m ⌚ 22:50:44.075994 \n",
-      "👉🏽 \u001b[1;34mGET https://apim-w6pw4mtuew6ga.azure-api.net/map/default/geocode?query=15127%20NE%2024th%20Street%20Redmond%20WA/\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse status          : \u001b[1;32m200 - OK\u001b[0m\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse headers         :\n",
-      "{'Content-Type': 'application/json; charset=utf-8', 'Date': 'Thu, 12 Jun 2025 03:50:46 GMT', 'Content-Encoding': 'gzip', 'Transfer-Encoding': 'chunked', 'Vary': 'Accept-Encoding', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'x-ms-azuremaps-region': 'East US', 'X-Content-Type-Options': 'nosniff', 'X-Cache': 'CONFIG_NOCACHE', 'X-MSEdge-Ref': 'Ref A: 3E47F785F9DE487E9C530EC0D2124173 Ref B: BL2AA2030110019 Ref C: 2025-06-12T03:50:46Z', 'Request-Context': 'appId=cid-v1:788e87f2-9135-4c09-896d-02870631a447'}\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse body            :\n",
-      "{\n",
-      "    \"type\": \"FeatureCollection\",\n",
-      "    \"features\": [\n",
-      "        {\n",
-      "            \"type\": \"Feature\",\n",
-      "            \"geometry\": {\n",
-      "                \"type\": \"Point\",\n",
-      "                \"coordinates\": [\n",
-      "                    -122.138669,\n",
-      "                    47.630359\n",
-      "                ]\n",
-      "            },\n",
-      "            \"bbox\": [\n",
-      "                -122.14631082421619,\n",
-      "                47.62649628242932,\n",
-      "                -122.1310271757838,\n",
-      "                47.634221717570675\n",
-      "            ],\n",
-      "            \"properties\": {\n",
-      "                \"type\": \"Address\",\n",
-      "                \"confidence\": \"High\",\n",
-      "                \"matchCodes\": [\n",
-      "                    \"Good\"\n",
-      "                ],\n",
-      "                \"geocodePoints\": [\n",
-      "                    {\n",
-      "                        \"calculationMethod\": \"Rooftop\",\n",
-      "                        \"usageTypes\": [\n",
-      "                            \"Display\"\n",
-      "                        ],\n",
-      "                        \"geometry\": {\n",
-      "                            \"type\": \"Point\",\n",
-      "                            \"coordinates\": [\n",
-      "                                -122.138669,\n",
-      "                                47.630359\n",
-      "                            ]\n",
-      "                        }\n",
-      "                    },\n",
-      "                    {\n",
-      "                        \"calculationMethod\": \"Rooftop\",\n",
-      "                        \"usageTypes\": [\n",
-      "                            \"Route\"\n",
-      "                        ],\n",
-      "                        \"geometry\": {\n",
-      "                            \"type\": \"Point\",\n",
-      "                            \"coordinates\": [\n",
-      "                                -122.1386667,\n",
-      "                                47.630218\n",
-      "                            ]\n",
-      "                        }\n",
-      "                    }\n",
-      "                ],\n",
-      "                \"address\": {\n",
-      "                    \"addressLine\": \"15127 NE 24th St\",\n",
-      "                    \"streetName\": \"NE 24th St\",\n",
-      "                    \"streetNumber\": \"15127\",\n",
-      "                    \"postalCode\": \"98052\",\n",
-      "                    \"locality\": \"Redmond\",\n",
-      "                    \"formattedAddress\": \"15127 NE 24th St, Redmond, WA 98052\",\n",
-      "                    \"countryRegion\": {\n",
-      "                        \"name\": \"United States\",\n",
-      "                        \"ISO\": \"US\"\n",
-      "                    },\n",
-      "                    \"adminDistricts\": [\n",
-      "                        {\n",
-      "                            \"shortName\": \"WA\"\n",
-      "                        },\n",
-      "                        {\n",
-      "                            \"shortName\": \"King County\"\n",
-      "                        }\n",
-      "                    ]\n",
-      "                }\n",
-      "            }\n",
-      "        }\n",
-      "    ]\n",
-      "}\u001b[0m \n",
-      "\n",
-      "ℹ️ \u001b[1;32mCalling Hello World (ACA Backend 2) API\u001b[0m ⌚ 22:50:47.215265 \n",
-      "👉🏽 \u001b[1;34mGET https://apim-w6pw4mtuew6ga.azure-api.net/aca-2/\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse status          : \u001b[1;31m404 - Resource Not Found\u001b[0m\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse headers         :\n",
-      "{'Content-Length': '54', 'Content-Type': 'application/json', 'Date': 'Thu, 12 Jun 2025 03:50:47 GMT', 'Request-Context': 'appId=cid-v1:788e87f2-9135-4c09-896d-02870631a447'}\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse body            :\n",
-      "{ \"statusCode\": 404, \"message\": \"Resource not found\" }\u001b[0m \n",
-      "\n",
-      "ℹ️ \u001b[1;32mCalling Hello World (ACA Backend Pool) API\u001b[0m ⌚ 22:50:47.865951 \n",
-      "👉🏽 \u001b[1;34mGET https://apim-w6pw4mtuew6ga.azure-api.net/aca-pool/\u001b[0m \n",
-      "👉🏽 \u001b[1;34m▶️ Run 1/3:\u001b[0m \n",
-      "👉🏽 \u001b[1;34m⌚ 0.39 seconds\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse status          : \u001b[1;31m404 - Resource Not Found\u001b[0m\u001b[0m \n",
-      "👉🏽 \u001b[1;34m▶️ Run 2/3:\u001b[0m \n",
-      "👉🏽 \u001b[1;34m⌚ 0.07 seconds\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse status          : \u001b[1;31m404 - Resource Not Found\u001b[0m\u001b[0m \n",
-      "👉🏽 \u001b[1;34m▶️ Run 3/3:\u001b[0m \n",
-      "👉🏽 \u001b[1;34m⌚ 0.07 seconds\u001b[0m \n",
-      "👉🏽 \u001b[1;34mResponse status          : \u001b[1;31m404 - Resource Not Found\u001b[0m\u001b[0m \n",
-      "\n",
-      "✅ \u001b[1;32mAll done!\u001b[0m ⌚ 22:50:48.559041 \n"
-     ]
-    }
-   ],
+   "outputs": [],
    "source": [
     "import utils\n",
     "from apimrequests import ApimRequests\n",
@@ -287,9 +143,18 @@
     "reqs = ApimRequests(apim_gateway_url)\n",
     "\n",
     "reqs.singleGet('/', msg = 'Calling Hello World (Root) API')\n",
-    "reqs.singleGet('/map/default/geocode?query=15127%20NE%2024th%20Street%20Redmond%20WA/', msg = 'Calling Default Route with AAD Auth API')\n",
-    "reqs.singleGet('/aca-2/', msg = 'Calling Hello World (ACA Backend 2) API')\n",
-    "reqs.multiGet('/aca-pool/', 3, msg = 'Calling Hello World (ACA Backend Pool) API')\n",
+    "reqs.singleGet('/map/default/geocode?query=15127%20NE%2024th%20Street%20Redmond%20WA', msg = 'Calling Default Route API with AAD Auth')\n",
+    "reqs.singleGet('/map/geocode?query=15127%20NE%2024th%20Street%20Redmond%20WA', msg = 'Calling Geocode v2 API with AAD Auth')\n",
+    "reqs.singlePost('/map/geocode/batch/async', data={\n",
+    "    \"batchItems\": [\n",
+    "        {\"query\": \"?query=400 Broad St, Seattle, WA 98109&limit=3\"},\n",
+    "        {\"query\": \"?query=One, Microsoft Way, Redmond, WA 98052&limit=3\"},\n",
+    "        {\"query\": \"?query=350 5th Ave, New York, NY 10118&limit=1\"},\n",
+    "        {\"query\": \"?query=Pike Pl, Seattle, WA 98101&lat=47.610970&lon=-122.342469&radius=1000\"},\n",
+    "        {\"query\": \"?query=Champ de Mars, 5 Avenue Anatole France, 75007 Paris, France&limit=1\"}\n",
+    "    ]\n",
+    "}, msg = 'Calling Async Geocode Batch v1 API with Key Auth')\n",
+    "\n",
     "utils.print_ok('All done!')"
    ]
   }

samples/azure-maps/main.bicep

@@ -14,6 +14,7 @@ param namedValues array = []
 param mapsName string = 'maps-${resourceSuffix}'
 param apimName string = 'apim-${resourceSuffix}'
 param appInsightsName string = 'appi-${resourceSuffix}'
+param userAssignedIdentityName string = 'uami-maps-${resourceSuffix}'
 param apis array = []
 
 // [ADD RELEVANT PARAMETERS HERE]
@@ -35,6 +36,16 @@ resource apimService 'Microsoft.ApiManagement/service@2024-06-01-preview' existi
   name: apimName
 }
 
+// Create user-assigned managed identity
+resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: userAssignedIdentityName
+  location: location
+  tags: {
+    Purpose: 'Azure Maps Access'
+    Environment: 'Sample'
+  }
+}
+
 // Create Azure Maps account
 resource mapsAccount 'Microsoft.Maps/accounts@2024-07-01-preview' = {
   name: mapsName
@@ -44,7 +55,10 @@ resource mapsAccount 'Microsoft.Maps/accounts@2024-07-01-preview' = {
   }
   kind: 'Gen2'
   identity: {
-    type: 'SystemAssigned'
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${userAssignedIdentity.id}': {}
+    }
   }
 }
 
@@ -81,6 +95,49 @@ module mapsClientIdNamedValue '../../shared/bicep/modules/apim/v1/named-value.bi
   }
 }
 
+// Deploy user-assigned managed identity client id named value
+module userAssignedIdentityObjectIdNamedValue '../../shared/bicep/modules/apim/v1/named-value.bicep' = {
+  name: 'nv-user-assigned-identity-object-id'
+  params: {
+    apimName: apimName
+    namedValueName: 'user-assigned-identity-object-id'
+    namedValueValue: userAssignedIdentity.properties.principalId
+    namedValueIsSecret: false
+  }
+}
+
+// Deploy Azure subscription id named value
+module subscriptionIdNamedValue '../../shared/bicep/modules/apim/v1/named-value.bicep' = {
+  name: 'nv-subscription-id'
+  params: {
+    apimName: apimName
+    namedValueName: 'subscription-id'
+    namedValueValue: subscription().subscriptionId
+    namedValueIsSecret: true
+  }
+}
+
+// Deploy resource group name named value
+module resourceGroupNamedValue '../../shared/bicep/modules/apim/v1/named-value.bicep' = {
+  name: 'nv-resource-group-name'
+  params: {
+    apimName: apimName
+    namedValueName: 'resource-group-name'
+    namedValueValue: resourceGroup().name
+    namedValueIsSecret: false
+  }
+}
+// Deploy resource group name named value
+module azureMapsResourceNamedValue '../../shared/bicep/modules/apim/v1/named-value.bicep' = {
+  name: 'nv-azure-maps-resource-name'
+  params: {
+    apimName: apimName
+    namedValueName: 'azure-maps-resource-name'
+    namedValueValue: mapsName
+    namedValueIsSecret: false
+  }
+}
+
 // APIM APIs
 module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in apis: if(!empty(apis)) {
   name: '${api.name}-${resourceSuffix}'
@@ -92,8 +149,7 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in a
   }
 }]
 
-
-// Grant managed identity access to Azure Maps, here are the RBAC roles you might need: https://learn.microsoft.com/en-us/azure/azure-maps/azure-maps-authentication#picking-a-role-definition
+// Grant APIM managed identity access to Azure Maps, here are the RBAC roles you might need: https://learn.microsoft.com/en-us/azure/azure-maps/azure-maps-authentication#picking-a-role-definition
 resource mapsDataReaderRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(mapsAccount.id, apimService.id, '6be48352-4f82-47c9-ad5e-0acacefdb005')
   scope: mapsAccount
@@ -104,6 +160,29 @@ resource mapsDataReaderRoleAssignment 'Microsoft.Authorization/roleAssignments@2
   }
 }
 
+// Grant APIM managed identity 'Auzre Maps Contributor' role to Azure Maps, this allows the creation of SAS tokens
+resource mapsContributorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(mapsAccount.id, apimService.id, 'dba33070-676a-4fb0-87fa-064dc56ff7fb')
+  scope: mapsAccount
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dba33070-676a-4fb0-87fa-064dc56ff7fb')
+    principalId: apimService.identity.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
+
+// Grant user-assigned managed identity Azure Maps Data Reader role
+resource userAssignedIdentityMapsDataReaderRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(mapsAccount.id, userAssignedIdentity.id, '6be48352-4f82-47c9-ad5e-0acacefdb005')
+  scope: mapsAccount
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6be48352-4f82-47c9-ad5e-0acacefdb005')
+    principalId: userAssignedIdentity.properties.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
 // ------------------
 //    MARK: OUTPUTS
 // ------------------