Custom Roles

Learn about using custom roles with storage schema

In this guide, you will learn how to create and use custom roles with Storage to manage role-based access to objects and buckets. The same approach can be used to use custom roles with any other Supabase service.

Supabase Storage uses the same role-based access control system as any other Supabase service using RLS (Row Level Security).

Create a custom role#

Let's create a custom role manager to provide full read access to a specific bucket. For a more advanced setup, see the RBAC Guide.

1
create role 'manager';
2
3
-- Important to grant the role to the authenticator and anon role
4
grant manager to authenticator;
5
grant anon to manager;

Create a policy#

Let's create a policy that gives full read permissions to all objects in the bucket teams for the manager role.

1
create policy "Manager can view all files in the bucket 'teams'"
2
on storage.objects
3
for select
4
to manager
5
using (
6
 bucket_id = 'teams'
7
);

Test the policy#

To impersonate the manager role, you will need a valid JWT token with the manager role. You can quickly create one using the jsonwebtoken library in Node.js.

1
const jwt = require('jsonwebtoken')
2
3
const JWT_SECRET = 'your-jwt-secret' // You can find this in your Supabase project settings under API. Store this securely.
4
const USER_ID = '' // the user id that we want to give the manager role
5
6
const token = jwt.sign({ role: 'manager', sub: USER_ID }, JWT_SECRET, {
7
  expiresIn: '1h',
8
})

Now you can use this token to access the Storage API.

1
const { StorageClient } = require('@supabase/storage-js')
2
3
const PROJECT_URL = 'https://your-project-id.supabase.co/storage/v1'
4
5
const storage = new StorageClient(PROJECT_URL, {
6
  authorization: `Bearer ${token}`,
7
})
8
9
await storage.from('teams').list()