lywsvip/supabase
1
0
Fork 0
mirror of https://github.com/supabase/supabase.git synced 2026-06-03 03:11:35 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
create-pull-request/patch
supabase/apps/docs/content/guides/storage/schema/custom-roles.mdx
Copple 973bacf783 docs: Data API IA (#42417) 
*Summary*
- reorganize the navigation menu to highlight modules, consolidate API
security content, and move guide entries (auto-generated docs, type
generation, security topics) to the intended sections
- relocate the Data API hardening and custom claims RBAC guides into the
API subtree, updating internal references and redirects, and fixing
cross-links (including adjusting the Security reference order)
- adjust data API topic references (e.g., securing guide and role
management) to point to the new paths and ensure the helper link
ordering follows the requested layout

*Testing*
- Not run (not requested)

Change 1

<img width="1286" height="576" alt="image"
src="https://github.com/user-attachments/assets/d903e9b0-bbfc-403f-bcb9-eee540e466db"
/>

Change 2

<img width="1176" height="666" alt="image"
src="https://github.com/user-attachments/assets/82b3ea4c-b8d4-4cb9-ad90-6c39c8a1a997"
/>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Reorganized API documentation structure, consolidating REST and
GraphQL API guides under a dedicated API section.
* Moved security-related guides to API documentation paths for better
organization.
* Implemented automatic redirects for old documentation links to new
locations.
* Updated navigation menu to reflect the restructured documentation
layout.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
2026-03-11 14:11:26 +01:00

74 lines
2.2 KiB
Plaintext
Raw Permalink Blame History

---
id: 'storage-schema-design'
title: 'Custom Roles'
description: 'Learn about the storage schema'
subtitle: 'Learn about using custom roles with storage schema'
sidebar_label: 'Schema'
---
In this guide, you will learn how to create and use custom roles with Storage to manage role-based access to objects and buckets. The same approach can be used to use custom roles with any other Supabase service.
Supabase Storage uses the same role-based access control system as any other Supabase service using RLS (Row Level Security).
## Create a custom role
Let's create a custom role `manager` to provide full read access to a specific bucket. For a more advanced setup, see the [RBAC Guide](/docs/guides/api/custom-claims-and-role-based-access-control-rbac#create-auth-hook-to-apply-user-role).
```sql
create role 'manager';
-- Important to grant the role to the authenticator and anon role
grant manager to authenticator;
grant anon to manager;
```
## Create a policy
Let's create a policy that gives full read permissions to all objects in the bucket `teams` for the `manager` role.
```sql
create policy "Manager can view all files in the bucket 'teams'"
on storage.objects
for select
to manager
using (
bucket_id = 'teams'
);
```
## Test the policy
To impersonate the `manager` role, you will need a valid JWT token with the `manager` role.
You can quickly create one using the `jsonwebtoken` library in Node.js.
<Admonition type="danger">
Signing a new JWT requires your `JWT_SECRET`. You must store this secret securely. Never expose it in frontend code, and do not check it into version control.
</Admonition>
```js
const jwt = require('jsonwebtoken')
const JWT_SECRET = 'your-jwt-secret' // You can find this in your Supabase project settings under API. Store this securely.
const USER_ID = '' // the user id that we want to give the manager role
const token = jwt.sign({ role: 'manager', sub: USER_ID }, JWT_SECRET, {
expiresIn: '1h',
})
```
Now you can use this token to access the Storage API.
```js
const { StorageClient } = require('@supabase/storage-js')
const PROJECT_URL = 'https://your-project-id.supabase.co/storage/v1'
const storage = new StorageClient(PROJECT_URL, {
authorization: `Bearer ${token}`,
})
await storage.from('teams').list()
```
Reference in New Issue View Git Blame Copy Permalink