Storage Access Control
Supabase Storage is designed to work perfectly with Postgres Row Level Security (RLS).
You can use RLS to create Security Access Policies that are incredibly powerful and flexible, allowing you to restrict access based on your business needs.
By default Storage does not allow any uploads to buckets without RLS policies. You selectively allow certain operations by creating RLS policies on the
The RLS policies required for different operations are documented here
For example, the only RLS policy required for uploading objects is to grant the
INSERT permission to the
To allow overwriting files using the
upsert functionality you will need to additionally grant
An easy way to get started would be to create RLS policies for
DELETE operations and restrict the policies to meet your security requirements. For example, one can start with the following
_10create policy "policy_name"_10ON storage.objects_10for insert with check (_10true_10);
and modify it to only allow authenticated users to upload assets to a specific bucket by changing it to:
_10create policy "policy_name"_10on storage.objects for insert to authenticated with check (_10-- restrict bucket_10bucket_id = 'my_bucket_id'_10);
This example demonstrates how you would allow authenticated users to upload files to a folder called
_10create policy "Allow authenticated uploads"_10on storage.objects_10for insert_10to authenticated_10with check (_10bucket_id = 'my_bucket_id' and_10(storage.foldername(name)) = 'private'_10);
This example demonstrates how you would allow authenticated users to upload files to a folder called with their
_10create policy "Allow authenticated uploads"_10on storage.objects_10for insert_10to authenticated_10with check (_10bucket_id = 'my_bucket_id' and_10(storage.foldername(name)) = auth.uid()::text_10);
Allow a user to access a file that was previously uploaded by the same user:
_10create policy "Individual user Access"_10on storage.objects for select_10to authenticated_10using ( auth.uid() = owner_id );
Bypassing access controls#
If you exclusively use Storage from trusted clients, such as your own servers, and need to bypass the RLS policies, you can use the
service key in the
Authorization header. Service keys entirely bypass RLS policies, granting you unrestricted access to all Storage APIs.
Remember you should not share the service key publicly.