Manage roles
Lakebase Autoscaling is available in the following regions: us-east-1, us-east-2, us-west-2, ca-central-1, sa-east-1, eu-central-1, eu-west-1, eu-west-2, ap-south-1, ap-southeast-1, ap-southeast-2.
Lakebase Autoscaling is the latest version of Lakebase, with autoscaling compute, scale-to-zero, branching, and instant restore. If you are a Lakebase Provisioned user, see Lakebase Provisioned.
Postgres roles control access to your Postgres databases, schemas, tables, and other database objects. Use the Lakebase UI to create and manage roles for your team.
Before working with roles, see how to connect to your database and authenticate using OAuth tokens or native Postgres password authentication.
Role overview
When you create a project, a Postgres role is automatically created for your Databricks identity (for example, user@databricks.com). This role owns the default databricks_postgres database and is a member of databricks_superuser, giving it broad privileges to manage database objects. You can create additional roles in your project's default branch or in child branches.
Create a role
Use the Add role dialog in the Lakebase App to create either an OAuth role for a Databricks identity or a native Postgres password role.
Create an OAuth role
OAuth roles are linked to a Databricks identity (user, service principal, or group) and authenticate using OAuth tokens, which expire after one hour.
Roles are branch-scoped. When you create a child branch, it inherits roles from its parent branch. For groups, only workspace-level groups are supported.
Optionally grant databricks_superuser (inherits pg_read_all_data, pg_write_all_data, and pg_monitor) or standard Postgres attributes (CREATEDB, CREATEROLE, BYPASSRLS). See Role attributes in the PostgreSQL documentation.
To create an OAuth role, navigate to Roles & Databases > Add role > OAuth tab, select an identity from the Principal dropdown, configure permissions, and click Add.
You can also create OAuth roles using the databricks_auth extension with SQL or the REST API. See Create Postgres roles.
Create a password role
Password roles use a static Postgres password and are not linked to a Databricks identity. They are useful for applications or tools that require traditional database credentials.
The Lakebase App generates a secure password automatically. Copy it immediately after creation — it is not shown again. If you need a custom password, set it later using SQL. The same optional permissions from the OAuth role apply (databricks_superuser, CREATEDB, CREATEROLE, BYPASSRLS). Role names must be valid Postgres identifiers and cannot exceed 63 characters.
To create a password role, navigate to Roles & Databases > Add role > Password tab, enter a role name, configure permissions, click Add, and copy the generated password.
View roles
To view all roles in a branch, navigate to your branch's Roles & Databases tab in the Lakebase App.
Block password connections
Disabling password connections enforces OAuth-only authentication across your project, ensuring all database access goes through Databricks identities. Existing password roles are not deleted. These roles cannot authenticate until password connections are re-enabled.
In your project Settings > Database connections, uncheck Password (Native Postgres roles).
You can also control this per compute endpoint. In your branch's compute settings, select Edit > Database connections and uncheck Password (Postgres roles).
Reset a password
You can reset the password for native Postgres password roles. OAuth roles use OAuth tokens for authentication and don't have passwords to reset.
To reset a role's password:
- Navigate to your branch's Roles & Databases tab in the Lakebase App.
- Select Reset password from the role menu and click Reset.
- Copy the new generated password.
Resetting a password in the Lakebase App resets the password to a generated value with 60-bit entropy. To set your own password value, you can reset the password using the SQL editor or an SQL client like psql with the following syntax:
ALTER USER user_name WITH PASSWORD 'new_password';
The password should have at least 12 characters with a mix of lowercase, uppercase, number, and symbol characters. User-defined passwords are validated at creation time to ensure 60-bit entropy.
Get a new OAuth token
If you're using OAuth authentication and need a new OAuth token (tokens expire after one hour), you can get one from the Connect modal:
- Navigate to your project in the Lakebase App.
- Click Connect to open the database connection modal.
- Select your OAuth role from the Roles dropdown.
- Click Copy OAuth Token to copy a new token.
Learn more: Connect with an OAuth role | About authentication
Delete a role
Deleting a role is a permanent action that cannot be undone, and you cannot delete a role that owns a database. The database must be deleted before deleting the role that owns the database.
To delete a role:
- Navigate to your branch's Roles & Databases tab in the Lakebase App.
- Select Delete role from the role menu and confirm the deletion.
Managing database roles requires the CAN MANAGE or CAN USE project permission. If you don't have the required permission, you will see a "Permissions required" message when attempting a role-related action. Contact a workspace admin to request access. For more information, see Manage project permissions.