Skip to content

Instantly share code, notes, and snippets.

Created September 26, 2012 01:03
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nickharris/3785378 to your computer and use it in GitHub Desktop.
Save nickharris/3785378 to your computer and use it in GitHub Desktop.
Simple example of Generating a Windows Azure blob SAS in Node
//Simple example of Generating a Windows Azure blob SAS in Node created using the guidance at
//If your environment has access to the Windows Azure SDK for Node ( then you should use that instead.
function insert(item, user, request) {
var accountName = '<Your Account Name>';
var accountKey = '<Your Account Key>';
//Note: this code assumes the container already exists in blob storage.
// If you wish to dynamically create the container then implement guidance here -
var container = 'test';
var imageName = item.ImageName;
item.SAS = getBlobSharedAccessSignature(accountName, accountKey, container, imageName);
function getBlobSharedAccessSignature(accountName, accountKey, container, fileName){
signedExpiry = new Date();
signedExpiry.setMinutes(signedExpiry.getMinutes() + 30);
canonicalizedResource = util.format(canonicalizedResource, accountName, container, fileName);
signature = getSignature(accountKey);
var queryString = getQueryString();
return util.format(resource, accountName, container, fileName, queryString);
function getSignature(accountKey){
var decodedKey = new Buffer(accountKey, 'base64');
var stringToSign = signedPermissions + "\n" + signedStart + "\n" + getISO8601NoMilliSeconds(signedExpiry) + "\n" + canonicalizedResource + "\n" + signedIdentifier + "\n" + signedVersion;
stringToSign = stringToSign.toString('UTF8');
return crypto.createHmac('sha256', decodedKey).update(stringToSign).digest('base64');
function getQueryString(){
var queryString = "?";
queryString += addEscapedIfNotNull(queryString, Constants.SIGNED_VERSION, '2012-02-12');
queryString += addEscapedIfNotNull(queryString, Constants.SIGNED_RESOURCE, signedResource);
queryString += addEscapedIfNotNull(queryString, Constants.SIGNED_START, getISO8601NoMilliSeconds(signedStart));
queryString += addEscapedIfNotNull(queryString, Constants.SIGNED_EXPIRY, getISO8601NoMilliSeconds(signedExpiry));
queryString += addEscapedIfNotNull(queryString, Constants.SIGNED_PERMISSIONS, signedPermissions);
queryString += addEscapedIfNotNull(queryString, Constants.SIGNATURE, signature);
queryString += addEscapedIfNotNull(queryString, Constants.SIGNED_IDENTIFIER, signedIdentifier);
return queryString;
function addEscapedIfNotNull(queryString, name, val){
var result = '';
var delimiter = (queryString.length > 1) ? '&' : '' ;
result = util.format('%s%s=%s', delimiter, name, encodeURIComponent(val));
return result;
function getISO8601NoMilliSeconds(date){
var raw = date.toJSON();
//blob service does not like milliseconds on the end of the time so strip
return raw.substr(0, raw.lastIndexOf('.')) + 'Z';
var Constants = {
var crypto = require('crypto');
var util = require('util');
var resource = '';
//Version of the storage rest API
var signedVersion = '2012-02-12';
//signedResource. use b for blob, c for container
var signedResource = 'b'; //
// The signedpermission portion of the string must include the permission designations in a fixed order that is specific to each resource type. Any combination of these permissions is acceptable, but the order of permission letters must match the order in the following table.
var signedPermissions = 'rw'; //blob perms must be in this order rwd
// Example - Use ISO 8061 format
var signedStart = '';
var signedExpiry = '';
// Eample Blob
// URL =
// canonicalizedresource = "/myaccount/music/intro.mp3"
var canonicalizedResource = '/%s/%s/%s';
//The string-to-sign is a unique string constructed from the fields that must be verified in order to authenticate the request. The signature is an HMAC computed over the string-to-sign and key using the SHA256 algorithm, and then encoded using Base64 encoding.
var signature = '';
//Optional. A unique value up to 64 characters in length that correlates to an access policy specified for the container, queue, or table.
var signedIdentifier = '';
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment