fix: grant Vault privs to service_role #1539
Conversation
ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql
Show resolved
Hide resolved
|
If it helps, I had a moment and created some proposed tests that I think cover this PR, as a PR to this one here The tests are found in #1540 Feel free to reject that if it doesn't do what you need/you are implementing your own |
|
@supabase/postgres tests added, please +1. Aiming to release this early next week |
steve-chavez
force-pushed
the
fix/grant-vault-privs-to-service_role
branch
from
9bdefbc to
aacdfb4
Compare
| @@ -52,8 +58,9 @@ ORDER BY object_name, grantee, privilege_type; | |||
| vault | secrets | supabase_admin | TRUNCATE | |||
| vault | secrets | supabase_admin | UPDATE | |||
| vault | update_secret | postgres | EXECUTE | |||
| vault | update_secret | service_role | EXECUTE | |||
There was a problem hiding this comment.
Effects of the changes now can be clearly visualized.
There was a problem hiding this comment.
PR was rebased on top of #1544, test now look good.
The chore: bump versions commit didn't make the rebase as some other commit already used the same versions on https://github.com/supabase/postgres/blob/develop/ansible/vars.yml#L11-L14.
I think in this case we just need to advance those versions one more than https://github.com/supabase/postgres/blob/develop/ansible/vars.yml#L11 ..unless this PR has not been tested in local infra for relevant scenarios. If not, we should add a suffix to the version and test, then remove that and merge. |
Did that, although not sure if correct. |
version bump looks correct, but also we need to make sure we have tested these changed before we merge into develop. If you're not able to do so, either myself or @soedirgo can for the short term. |
service_role used to be able to manage secrets in Vault <=0.2.8 because it had privileges to pgsodium functions; we do the grants for Vault functions instead