Skip to main content

Manage roles

Beta

Lakebase Postgres (Autoscaling Beta) is the next version of Lakebase, available for evaluation only. For production workloads, use Lakebase Public Preview. See choosing between versions to understand which version is right for you.

Postgres roles control access to your Postgres databases, schemas, tables, and other database objects. Use the Lakebase UI to create and manage roles for your team.

note

Before working with roles, see how to connect to your database and authenticate using OAuth tokens or native Postgres password authentication.

Role overview

When you create a project, a Postgres role is automatically created for your Databricks identity (for example, user@databricks.com). This role owns the default databricks_postgres database and is a member of databricks_superuser, giving it broad privileges to manage database objects. You can create additional roles in your project's default branch or in child branches.

The Lakebase UI can only create native Postgres password roles. To create OAuth roles for other Databricks identities, use the databricks_auth extension with SQL. See Create an OAuth role in Manage Postgres roles.

Create a role

To create a native Postgres password role using the UI:

  1. Navigate to your branch's Roles & Databases tab in the Lakebase App.
  2. Click Add role and specify a role name (any valid Postgres role name).

Add a Postgres role

  1. Click Create.
  2. Copy the generated password and provide it securely to the user who will use this role.
note

The Lakebase UI generates a secure password automatically with 60-bit entropy. If you need to set a custom password, you can do so using SQL. The password should have at least 12 characters with a mix of lowercase, uppercase, number, and symbol characters. User-defined passwords are validated at creation time to ensure 60-bit entropy.

Role names cannot exceed 63 characters, and some names are not permitted.

Reset a password

You can reset the password for native Postgres password roles. OAuth roles use OAuth tokens for authentication and don't have passwords to reset.

To reset a role's password:

  1. Navigate to your branch's Roles & Databases tab in the Lakebase App.
  2. Select Reset password from the role menu and click Reset.
  3. Copy the new generated password.
note

Resetting a password in the Lakebase App resets the password to a generated value with 60-bit entropy. To set your own password value, you can reset the password using the SQL editor or an SQL client like psql with the following syntax:

SQL
ALTER USER user_name WITH PASSWORD 'new_password';

The password should have at least 12 characters with a mix of lowercase, uppercase, number, and symbol characters. User-defined passwords are validated at creation time to ensure 60-bit entropy.

Get a new OAuth token

If you're using OAuth authentication and need a new OAuth token (tokens expire after one hour), you can get one from the Connect modal:

  1. Navigate to your database project in the Lakebase App.
  2. Click Connect to open the database connection modal.
  3. Select your OAuth role from the Roles dropdown.
  4. Click Copy OAuth Token to copy a new token.

Learn more: Connect with an OAuth role | About authentication

Delete a role

important

Deleting a role is a permanent action that cannot be undone, and you cannot delete a role that owns a database. The database must be deleted before deleting the role that owns the database.

To delete a role:

  1. Navigate to your branch's Roles & Databases tab in the Lakebase App.
  2. Select Delete role from the role menu and confirm the deletion.
Last updated on