Supabase•2mo ago

Issue with Prisma + Read-only User Permissions

I'm facing a specific issue with Prisma ORM integration and custom Supabase user permissions. The Problem: - I created a custom read-only database user in Supabase for production security - Prisma can generate types successfully but cannot execute read queries like await prisma.SOME_MODEL.findMany() when using this restricted user's credentials (Error querying the database: FATAL: Tenant or user not found) - This forces me to use a full-access user in production, which is a security concern Current Workaround: - Using full database access "on trust" that developers won't misuse it - But I want proper permission-based security, not trust-based Questions: - Is there a way to make Prisma work with read-only database users? - Any other security best practices for this scenario?

16 Replies

ihm40•2mo ago

https://github.com/orgs/supabase/discussions/34455 might be worth seeing if this discussion thread is relevant to you

GitHub

Unable to use a readonly user · supabase · Discussion #34455

Hello, I am using supabase in my application. I want to create a read only user for general debugging and usage. But I am unable to make it work. I either get a Tenant or user not found error or a ...

GrafMineOP•2mo ago

@ihm40 nice, but where i can find supabase_read_only_user password? 🙂

ihm40•2mo ago

it is a supabase manage role i belive, if you go into Database -> roles you will see supabase_read_only_user as a role

GrafMineOP•2mo ago

yes i see, but i cant use it without password

ihm40•2mo ago

what do you mean without password? I think every role will require the db password to be set in the connection

GrafMineOP•2mo ago

it is not possible to see it and change it

ihm40•2mo ago

what would you want to change?

GrafMineOP•2mo ago

I want to change my supabase_read_only_user password, it's a desperate desire, because I don't know how to see or find out my supabase_read_only_user password.

ihm40•2mo ago

right okay, i think i understand. You want to create a supabase user with a different password to the current database password and give only read permissions to that user?

GrafMineOP•2mo ago

in general - yes

ihm40•2mo ago

I don't know how how to do that (via supabase UI at least), maybe you could do it via SQL queries but i would be careful with that

GrafMineOP•2mo ago

I already created such a user through SQL, but it didn't help, as in the link you provided, the only possible way is to use the user that superbase_read_only itself provides, but I have no idea what its password is.

ihm40•2mo ago

i am looking at this guide

ihm40•2mo ago

https://supabase.com/blog/postgres-roles-and-privileges

Postgres Roles and Privileges

A guide to Postgres roles and privileges

ihm40•2mo ago

and it seems like the password should have been set when you created the user?

# as postgres
postgres=> create role junior_dev login password 'a long and secure password';
CREATE ROLE
postgres=> create role senior_dev login password 'another long and secure password';
CREATE ROLE

# as postgres
postgres=> create role junior_dev login password 'a long and secure password';
CREATE ROLE
postgres=> create role senior_dev login password 'another long and secure password';
CREATE ROLE

GrafMineOP•2mo ago

I know how roles are created, that wasn't the question. I solved the problem, thanks for taking the time and providing the link, I just now noticed that me need to insert it even for custom instanceID users

Gaming

Programming

Issue with Prisma + Read-only User Permissions

Did you find this page helpful?