Hi Tien - Thanks for reaching out.
When working with Service/Account SAS, it is signed using the access keys so you need to have a role/permissions in order to access the keys i.e.
Microsoft.Storage/storageAccounts/listkeys/action
Build in Role such as Contributor or Reader and Data Access tend to have that permission so you can leverage them to generate the SAS.
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#contributor
What permission does the SAS should be having can be controlled further while creating the SAS such as Read, Write, List delete etc.
Below is the reference links that talks about the same:
https://learn.microsoft.com/en-us/azure/storage/blobs/sas-service-create-dotnet
Below are further additional links that talks about working with Stored Access Policy.
https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy
Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.