Storage

Custom Roles

Learn about using custom roles with storage schema


In this guide, you will learn how to create and use custom roles with Storage to manage role-based access to objects and buckets. The same approach can be used to use custom roles with any other Supabase service.

Supabase Storage uses the same role-based access control system as any other Supabase service using RLS (Row Level Security).

Create a custom role

Let's create a custom role manager to provide full read access to a specific bucket. For a more advanced setup, see the RBAC Guide.


_10
create role 'manager';
_10
_10
-- Important to grant the role to the authenticator and anon role
_10
grant manager to authenticator;
_10
grant anon to manager;

Create a policy

Let's create a policy that gives full read permissions to all objects in the bucket teams for the manager role.


_10
create policy "Manager can view all files in the bucket 'teams'"
_10
on storage.objects
_10
for select
_10
to manager
_10
using (
_10
bucket_id = 'teams'
_10
);

Test the policy

To impersonate the manager role, you will need a valid JWT token with the manager role. You can quickly create one using the jsonwebtoken library in Node.js.


_10
const jwt = require('jsonwebtoken')
_10
_10
const JWT_SECRET = 'your-jwt-secret' // You can find this in your Supabase project settings under API. Store this securely.
_10
const USER_ID = '' // the user id that we want to give the manager role
_10
_10
const token = jwt.sign({ role: 'manager', sub: USER_ID }, JWT_SECRET, {
_10
expiresIn: '1h',
_10
})

Now you can use this token to access the Storage API.


_10
const { StorageClient } = require('@supabase/storage-js')
_10
_10
const PROJECT_URL = 'https://your-project-id.supabase.co/storage/v1'
_10
_10
const storage = new StorageClient(PROJECT_URL, {
_10
authorization: `Bearer ${token}`,
_10
})
_10
_10
await storage.from('teams').list()