A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.

Every SAS is signed with a key. You can sign a SAS in one of two ways:

• With a key created using Microsoft Entra credentials. A SAS that is signed with Microsoft Entra credentials is auser delegation SAS. A client that creates a user delegation SAS must be assigned an Azure RBAC role that includes theMicrosoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. To learn more, seeCreate a user delegation SAS.
• With the storage account key. Both aservice SAS and anaccount SAS are signed with the storage account key. The client that creates a service SAS must either have direct access to the account key or be assigned theMicrosoft.Storage/storageAccounts/listkeys/action permission. To learn more, seeCreate a service SAS orCreate an account SAS.

This article shows how to use the storage account key to create a service SAS for a container or blob with the Blob Storage client library for JavaScript.

Create a service SAS for a blob container

The following code example creates a SAS for a container. If the name of an existing stored access policy is provided, that policy is associated with the SAS. If no stored access policy is provided, then the code creates an ad hoc SAS on the container.

A service SAS is signed with the account access key. Use theStorageSharedKeyCredential class to create the credential that is used to sign the SAS. Next, call thegenerateBlobSASQueryParameters function providing the required parameters to get the SAS token string.

// Create a service SAS for a blob containerfunction getContainerSasUri(containerClient, sharedKeyCredential, storedPolicyName) {    const sasOptions = {        containerName: containerClient.containerName,        permissions: ContainerSASPermissions.parse("c")    };    if (storedPolicyName == null) {        sasOptions.startsOn = new Date();        sasOptions.expiresOn = new Date(new Date().valueOf() + 3600 * 1000);    } else {        sasOptions.identifier = storedPolicyName;    }    const sasToken = generateBlobSASQueryParameters(sasOptions, sharedKeyCredential).toString();    console.log(`SAS token for blob container is: ${sasToken}`);    return `${containerClient.url}?${sasToken}`;}

Create a service SAS for a blob

The following code example creates a SAS on a blob. If the name of an existing stored access policy is provided, that policy is associated with the SAS. If no stored access policy is provided, then the code creates an ad hoc SAS on the blob.

To create a service SAS for a blob, call thegenerateBlobSASQueryParameters function providing the required parameters.

// Create a service SAS for a blobfunction getBlobSasUri(containerClient, blobName, sharedKeyCredential, storedPolicyName) {    const sasOptions = {        containerName: containerClient.containerName,        blobName: blobName    };    if (storedPolicyName == null) {        sasOptions.startsOn = new Date();        sasOptions.expiresOn = new Date(new Date().valueOf() + 3600 * 1000);        sasOptions.permissions = BlobSASPermissions.parse("r");    } else {        sasOptions.identifier = storedPolicyName;    }    const sasToken = generateBlobSASQueryParameters(sasOptions, sharedKeyCredential).toString();    console.log(`SAS token for blob is: ${sasToken}`);    return `${containerClient.getBlockBlobClient(blobName).url}?${sasToken}`;}

Resources for development with JavaScript

The links below provide useful resources for developers using the Azure Storage client library for JavaScript

Blob storage APIs

• Azure Storage Blob client library for JavaScript
• Library source code
• Package (npm)
• API reference documentation

JavaScript tools

• Node.js
• Visual Studio Code

Next steps

• Grant limited access to Azure Storage resources using shared access signatures (SAS)
• Create a service SAS