Postgres roles

info

Lakebase Provisioned is the original Lakebase offering that uses provisioned compute you scale manually. For supported regions, see Region availability. For the latest version of Lakebase, with autoscaling compute, scale-to-zero, branching, and instant restore, see Lakebase Autoscaling.

New Lakebase instances will be created as Autoscaling projects. Rollout starts March 12, 2026. For details, see Autoscaling by default.

This page explains the Postgres roles that you can use to govern access to a Databricks Lakebase database instance, including their privileges, purpose, and configuration.

Pre-created roles

After a database instance is created, Databricks automatically creates a Postgres role for the user who created the instance.

Role	Description	Inherited privileges
<instance_owner_role>	The Databricks identity of the instance creator (for example, myuser@databricks.com). This role can log in and administer the instance.	Member of databricks_superuser
databricks_superuser	An internal administrative role. Used to configure and manage access across the instance. This role is granted broad privileges and should not be used in automated applications.	Inherits from pg_read_all_data, pg_write_all_data, and pg_monitor.

Role capabilities

Role	LOGIN	CREATEDB	CREATEROLE	BYPASSRLS	Other privileges
databricks_superuser	NOLOGIN	—	—	—	All privileges (with grant) on all databases, schemas, tables, and sequences EXECUTE on pg_stat_statements_reset()
<instance_owner_role>	✅	✅	✅	✅	Owner of the default databricks_postgres database

System roles created by Databricks

In addition to the databricks_superuser and admin roles, Databricks creates system roles required for internal services. These roles are assigned the minimum privileges required for functionality. Modifying them can impact instance behavior.

Role	Purpose
databricks_control_plane	Used by internal Databricks components for management operations
databricks_monitor	Used by internal metrics collection services
databricks_writer_<dbid>	Per-database role used to create and manage synced tables
databricks_reader_<dbid>	Per-database role used to read tables registered in Unity Catalog
databricks_gateway	Used for internal connections for managed data serving services

To learn how roles, privileges, and role memberships work in Postgres, use the following resources in the Postgres documentation:

• Database Roles
• Privileges

Create Postgres roles for Databricks identities

A Postgres role for the database instance owner's Databricks identity is created automatically. To allow other Databricks identities to log in, create additional roles using the UI or PostgreSQL queries.

note

Role management actions are governed by the permissions granted on the database instance. Ensure you have the appropriate level of access before attempting to manage roles.

UI

Users with CAN USE permission can view existing roles or add a role for their own identity. Users with CAN MANAGE can create roles for other Databricks identities and drop any role.

1. Click Apps in the top right corner and select Lakebase Postgres.
2. Click Provisioned to open the Provisioned instances page.
3. Select your database instance.
4. Select the Roles page in the Lakebase App sidebar.
5. Click Add role.
6. From the Principal drop-down menu, select a user, group, or service principal.
7. (Optional) Select System Roles to grant databricks_superuser (read and write access to all data).
8. (Optional) Select System Attributes to grant CREATEDB, CREATEROLE, or BYPASSRLS.
9. Click Add.

PostgreSQL

Requirements:

• You must have CREATE and CREATE ROLE permissions on the database.
• You must authenticate as a Databricks identity. Native Postgres authenticated sessions cannot create Databricks roles.
• Your authentication token must be valid.

Use the databricks_create_role function from the databricks_auth extension:

PostgreSQL

CREATE EXTENSION IF NOT EXISTS databricks_auth;

PostgreSQL

-- Databricks user
SELECT databricks_create_role('myuser@databricks.com', 'USER');

-- Service principal (use application ID)
SELECT databricks_create_role('8c01cfb1-62c9-4a09-88a8-e195f4b01b08', 'SERVICE_PRINCIPAL');

-- Group
SELECT databricks_create_role('My Group 123', 'GROUP');

New roles only have privileges granted to PUBLIC. Use standard Postgres GRANT and REVOKE commands to add permissions.

View Databricks identity roles

UI

You can see which users, groups, and service principals have a corresponding Postgres role on the Roles page.

1. Click Apps in the top right corner and select Lakebase Postgres.
2. Click Provisioned to open the Provisioned instances page.
3. Select your database instance.
4. Select the Roles page in the Lakebase App sidebar.

PostgreSQL

Use the databricks_list_roles function from the databricks_auth extension to list all Databricks identity roles — users, service principals, and groups added to authenticate as Postgres roles.

PostgreSQL

CREATE EXTENSION IF NOT EXISTS databricks_auth;

PostgreSQL

SELECT * from databricks_list_roles;

Drop a Postgres role

UI

1. Click Apps in the top right corner and select Lakebase Postgres.
2. Click Provisioned to open the Provisioned instances page.
3. Select your database instance.
4. Select the Roles page in the Lakebase App sidebar.
5. For the role you want to drop, click and click Drop.
6. (Optional) Turn on Reassign owned objects to reassign owned objects before dropping.
7. Click Confirm.

PostgreSQL

Drop a Databricks identity-based role the same as any Postgres role. See the PostgreSQL documentation on dropping roles.