diff --git a/migrations/db/migrations/20250421084701_revoke_supabase_storage_admin_from_postgres.sql b/migrations/db/migrations/20250421084701_revoke_supabase_storage_admin_from_postgres.sql
new file mode 100644
index 000000000..28aaa8d76
--- /dev/null
+++ b/migrations/db/migrations/20250421084701_revoke_supabase_storage_admin_from_postgres.sql
@@ -0,0 +1,14 @@
+-- migrate:up
+revoke supabase_storage_admin from postgres;
+revoke create on schema storage from postgres;
+revoke all on storage.migrations from anon, authenticated, service_role, postgres;
+
+revoke supabase_auth_admin from postgres;
+revoke create on schema auth from postgres;
+revoke all on auth.schema_migrations from dashboard_user, postgres;
+
+revoke supabase_realtime_admin from postgres;
+revoke create on schema realtime from postgres;
+revoke all on schema_migrations from postgres, dashboard_user, anon, authenticated, service_role;
+
+-- migrate:down
diff --git a/migrations/tests/database/privs.sql b/migrations/tests/database/privs.sql
index ea4f1318a..9467c1fbc 100644
--- a/migrations/tests/database/privs.sql
+++ b/migrations/tests/database/privs.sql
@@ -27,3 +27,4 @@ SELECT schema_privs_are('extensions', 'service_role', array['USAGE']);
 -- Role memberships
 SELECT is_member_of('pg_read_all_data', 'postgres');
 SELECT is_member_of('pg_signal_backend', 'postgres');
+SELECT isnt_member_of('supabase_storage_admin', 'postgres');