diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index dc7c8aa..3ced54a 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -32,6 +32,7 @@ services:
     volumes:
       - db-data:/var/lib/postgresql/data
       - ./init.sql:/docker-entrypoint-initdb.d/init.sql:ro
+      - ./zz-set-passwords.sh:/docker-entrypoint-initdb.d/zz-set-passwords.sh:ro
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U postgres"]
       interval: 10s
diff --git a/deploy/init.sql b/deploy/init.sql
index b82e334..4205eed 100644
--- a/deploy/init.sql
+++ b/deploy/init.sql
@@ -53,8 +53,8 @@ GRANT authenticated TO authenticator;
 GRANT service_role TO authenticator;
 GRANT supabase_admin TO postgres;
 
--- Note: Passwords for supabase_admin and authenticator are set by the Supabase image
--- based on POSTGRES_PASSWORD environment variable. Don't override them here.
+-- Note: Passwords for supabase_admin, authenticator, and other roles are set by
+-- zz-set-passwords.sh which runs after this script and uses POSTGRES_PASSWORD.
 
 -- Create schemas
 CREATE SCHEMA IF NOT EXISTS auth AUTHORIZATION supabase_auth_admin;
diff --git a/deploy/zz-set-passwords.sh b/deploy/zz-set-passwords.sh
new file mode 100644
index 0000000..17859b2
--- /dev/null
+++ b/deploy/zz-set-passwords.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Monaco USA Portal - Set Role Passwords
+# This script runs AFTER init.sql to set passwords for Supabase roles
+# using the POSTGRES_PASSWORD environment variable.
+#
+# The Supabase postgres image's internal migrate.sh expects supabase_admin
+# to have a password matching POSTGRES_PASSWORD.
+
+set -e
+
+echo "Setting passwords for Supabase roles..."
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    -- Set supabase_admin password (required by Supabase internal scripts)
+    ALTER ROLE supabase_admin WITH PASSWORD '${POSTGRES_PASSWORD}';
+
+    -- Set authenticator password (used by PostgREST)
+    ALTER ROLE authenticator WITH PASSWORD '${POSTGRES_PASSWORD}';
+
+    -- Set supabase_auth_admin password (used by GoTrue)
+    ALTER ROLE supabase_auth_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
+
+    -- Set supabase_storage_admin password (used by Storage API)
+    ALTER ROLE supabase_storage_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
+EOSQL
+
+echo "Supabase role passwords configured successfully."