apps/docs/content/guides/storage/schema/custom-roles.mdx
In this guide, you will learn how to create and use custom roles with Storage to manage role-based access to objects and buckets. The same approach can be used to use custom roles with any other Supabase service.
Supabase Storage uses the same role-based access control system as any other Supabase service using RLS (Row Level Security).
Let's create a custom role manager to provide full read access to a specific bucket. For a more advanced setup, see the RBAC Guide.
create role 'manager';
-- Important to grant the role to the authenticator and anon role
grant manager to authenticator;
grant anon to manager;
Let's create a policy that gives full read permissions to all objects in the bucket teams for the manager role.
create policy "Manager can view all files in the bucket 'teams'"
on storage.objects
for select
to manager
using (
bucket_id = 'teams'
);
To impersonate the manager role, you will need a valid JWT token with the manager role.
You can quickly create one using the jsonwebtoken library in Node.js.
Signing a new JWT requires your JWT_SECRET. You must store this secret securely. Never expose it in frontend code, and do not check it into version control.
const jwt = require('jsonwebtoken')
const JWT_SECRET = 'your-jwt-secret' // You can find this in your Supabase project settings under API. Store this securely.
const USER_ID = '' // the user id that we want to give the manager role
const token = jwt.sign({ role: 'manager', sub: USER_ID }, JWT_SECRET, {
expiresIn: '1h',
})
Now you can use this token to access the Storage API.
const { StorageClient } = require('@supabase/storage-js')
const PROJECT_URL = 'https://your-project-id.supabase.co/storage/v1'
const storage = new StorageClient(PROJECT_URL, {
authorization: `Bearer ${token}`,
})
await storage.from('teams').list()