Supabase bucket RLS policy for table objects fix
Technology

Supabase bucket RLS policy for table objects fix

This Storage error almost never means Supabase is broken. It usually means your upload path, your RLS policy, or your use of `upsert` does not match how Storage actually authorizes writes.

2026-06-06
7 min read
Supabase bucket RLS policy for table objects fix

Supabase bucket RLS policy for table objects fix#

The exact error looks like this:

text
new row violates row-level security policy for table "objects"

The root cause is usually one of three things:

  1. you have no INSERT policy on storage.objects
  2. you are using upsert: true, which needs more than just INSERT
  3. you passed the bucket and file path in the wrong places

That is why this error shows up even when the user is already signed in.

The first thing to fix: bucket name vs file path#

This is the broken shape from the real Stack Overflow thread:

ts
// Wrong
await supabase.storage
  .from('/public/avatars')
  .upload(`${email}.png`, file, { upsert: true })

Supabase's own upload docs show the correct split:

ts
const { data, error } = await supabase.storage
  .from('avatars')
  .upload('public/avatar1.png', file, {
    cacheControl: '3600',
    upsert: false,
  })

if (error) throw error

from() takes the bucket. upload() takes the path inside that bucket.

The minimal policy for a plain upload#

Supabase documents that the only policy required for uploading objects is an INSERT policy on storage.objects.

A minimal bucket-scoped policy looks like this:

sql
create policy "Allow authenticated uploads to avatars"
on storage.objects
for insert
to authenticated
with check (
  bucket_id = 'avatars'
);

If your uploads should go only into a specific folder, add a folder constraint too:

sql
create policy "Allow authenticated uploads to avatars/private"
on storage.objects
for insert
to authenticated
with check (
  bucket_id = 'avatars' and
  (storage.foldername(name))[1] = 'private'
);

The upsert: true trap#

This is the part many articles miss. Supabase's Storage access-control docs explicitly say that overwriting files with upsert needs SELECT and UPDATE permissions in addition to the upload policy.

So this code:

ts
await supabase.storage
  .from('avatars')
  .upload(`private/${userId}/avatar.png`, file, {
    upsert: true,
  })

needs more than just for insert.

If you do not actually need overwrite behavior, make the fix smaller:

ts
await supabase.storage
  .from('avatars')
  .upload(`private/${userId}/avatar.png`, file, {
    upsert: false,
  })

That alone resolves a surprising number of production bugs.

If you really do need overwrite behavior#

Keep the insert policy, then add read/update policies that match the same object scope.

sql
create policy "Allow authenticated reads on avatars/private"
on storage.objects
for select
to authenticated
using (
  bucket_id = 'avatars' and
  (storage.foldername(name))[1] = 'private'
);

create policy "Allow authenticated updates on avatars/private"
on storage.objects
for update
to authenticated
using (
  bucket_id = 'avatars' and
  (storage.foldername(name))[1] = 'private'
)
with check (
  bucket_id = 'avatars' and
  (storage.foldername(name))[1] = 'private'
);

A safe client upload example#

ts
const filePath = `private/${userId}/avatar.png`

const { data, error } = await supabase.storage
  .from('avatars')
  .upload(filePath, file, {
    cacheControl: '3600',
    upsert: false,
  })

if (error) {
  throw error
}

This is the right place to start. Only add overwrite behavior once the basic insert path works.

When the service key changes everything#

Supabase's Storage docs also note that service keys bypass Storage RLS entirely. That can be useful for trusted server-side jobs, but it is not a fix for a browser upload bug. If a client upload needs the service key to work, the policy is still wrong.

The better debugging order is:

  1. fix the bucket/path split
  2. test with upsert: false
  3. add the exact INSERT policy
  4. only then add SELECT and UPDATE if overwrite is required

For the surrounding security pieces:

References#

Frequently Asked Questions

|

Have more questions? Contact us

Written by

Mahdi Br
Mahdi Br

Full-Stack Dev — Next.js & Supabase

Solo developer building SaaS products with Next.js and Supabase. Writing about production patterns the official docs skip.

Remote

One email a month — no fluff

RLS gotchas, Next.js cache debugging, and the one Supabase setting that bit me last month.

Continue Reading

Debugging Supabase RLS Issues: A Step-by-Step Guide
technology

Debugging Supabase RLS Issues: A Step-by-Step Guide

Master RLS debugging techniques. Learn how to identify, diagnose, and fix Row Level Security policy issues that block data access in production.

2026-03-17
13 min read
Why Your Supabase RLS Policies Are Silently Failing (And How to Debug Them)
technology

Why Your Supabase RLS Policies Are Silently Failing (And How to Debug Them)

RLS failures don't throw errors — they return empty results. Here is exactly how to find and fix the most common Row Level Security bugs in Supabase before they reach production.

2026-03-17
7 min read
Supabase Service Role Key Guide 2026: Secure RLS Bypass
Technology

Supabase Service Role Key Guide 2026: Secure RLS Bypass

Learn how to securely use the Supabase service role key in Next.js Edge Functions and Server Actions to bypass RLS and manage users.

2026-06-04
12 min read

Browse by Topic

Find stories that matter to you.