storage icon indicating copy to clipboard operation
storage copied to clipboard

Published 20 hours ago verified publisher icon supabase

Storage database user requires superuser permissions

Open siennathesane opened this issue 6 months ago • 1 comments

Bug report

  • [x] I confirm this is a bug with Supabase, not with my own application.
  • [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The database user requires incorrect database permissions.

To Reproduce

Given a PostgreSQL user named storage, With createrole permissions, And not superuser permissions, When storage-api is deployed, With the storage user as it's database credentials, Then it will crash with "permission denied to create role"

Expected behavior

I expect the serice will start without superuser permissions.

Screenshots

{
  "level": 50,
  "time": "2025-06-12T21:48:05.458Z",
  "pid": 1,
  "hostname": "f2-storage-api-dev-5886d6d559-nwv64",
  "region": "not-specified",
  "type": "startupError",
  "error": {
    "raw": "{\"cause\":\"Error: An error occurred running 'storage-schema'. Rolled back this migration. No further migrations were run. Reason: permission denied to create role\"}",
    "name": "Error",
    "message": "Migration failed. Reason: An error occurred running 'storage-schema'. Rolled back this migration. No further migrations were run. Reason: permission denied to create role",
    "stack": "Error: Migration failed. Reason: An error occurred running 'storage-schema'. Rolled back this migration. No further migrations were run. Reason: permission denied to create role\n    at /app/dist/internal/database/migrations/migrate.js:476:21\n    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)\n    at async /app/dist/internal/database/migrations/migrate.js:543:14\n    at async connectAndMigrate (/app/dist/internal/database/migrations/migrate.js:374:5)\n    at async runMigrationsOnTenant (/app/dist/internal/database/migrations/migrate.js:264:3)\n    at async main (/app/dist/start/server.js:58:5)",
    "statusCode": 0
  },
  "msg": "Server not started with error"
}

System information

  • Container image: supabase/storage-api:latest

Additional context

This is running in Kubernetes via Terraform so unfortunately I cannot give you a simple reproduction. While Supabase requires a single database, it should allow for more limited service user permissions to allow for better security.

siennathesane avatar Jun 12 '25 21:06 siennathesane

also having this problem on supabase/storage-api:v1.24.6 - i cannot create policies anymore programmatically from migration files (that are run when executing 'supabase db reset') , example error

ERROR: must be owner of table objects (SQLSTATE 42501)
At statement: 4
CREATE POLICY "Give users SELECT access to own folder avatars" ON storage.objects
  FOR SELECT TO authenticated
    USING (bucket_id = 'avatars'
      ...and so on....

actraiser avatar Jun 17 '25 15:06 actraiser

Hello! I would need more information of your schema roles and setup.

I'm going to close this issue for now as it's a few months old, but I'll be happy to re-open when I have more information.

fenos avatar Sep 26 '25 09:09 fenos