Custom Roles
Learn about using custom roles with storage schema
In this guide, you will learn how to create and use custom roles with Storage to manage role-based access to objects and buckets. The same approach can be used to use custom roles with any other Supabase service.
Supabase Storage uses the same role-based access control system as any other Supabase service using RLS (Row Level Security).
Create a Custom Role
Let's create a custom role manager to provide full read access to a specific bucket. For a more advanced setup, see the RBAC Guide.
_10create role 'manager';_10_10-- Important to grant the role to the authenticator and anon role_10grant manager to authenticator;_10grant anon to manager;
Create a policy
Let's create a policy that gives full read permissions to all objects in the bucket teams for the manager role.
_10create policy "Manager can view all files in the bucket 'teams'"_10on storage.objects_10for select_10to manager_10using (_10 bucket_id = 'teams'_10);
Test the policy
To impersonate the manager role, you will need a valid JWT token with the manager role.
You can quickly create one using the jsonwebtoken library in Node.js.
Signing a new JWT requires your JWT_SECRET. You must store this secret securely. Never expose it in frontend code, and do not check it into version control.
_10const jwt = require('jsonwebtoken')_10_10const JWT_SECRET = 'your-jwt-secret' // You can find this in your Supabase project settings under API. Store this securely._10const USER_ID = '' // the user id that we want to give the manager role_10_10const token = jwt.sign({ role: 'manager', sub: USER_ID }, JWT_SECRET, {_10 expiresIn: '1h',_10})
Now you can use this token to access the Storage API.
_10const { StorageClient } = require('@supabase/storage-js')_10_10const PROJECT_URL = 'https://your-project-id.supabase.co/storage/v1'_10_10const storage = new StorageClient(PROJECT_URL, {_10 authorization: `Bearer ${token}`,_10})_10_10await storage.from('teams').list()