Skip to content

fix: vault grants post-upgrade #1606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

soedirgo
Copy link
Member

Follow up to https://github.com/supabase/postgres/pull/1539/files.

The change has been applied for new & restored projects, but not post-upgrade.

Updated supabase/postgres migrations are not reapplied on post-upgrade, only on post-restore. So for the change to be applied on upgraded projects, we need to apply it on the post-upgrade script.

@soedirgo soedirgo requested review from a team as code owners May 23, 2025 08:04
Comment on lines +229 to +236
grant usage on schema vault to postgres with grant option;
grant select, delete, truncate, references on vault.secrets, vault.decrypted_secrets to postgres with grant option;
grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;

-- service_role used to be able to manage secrets in Vault <=0.2.8 because it had privileges to pgsodium functions
grant usage on schema vault to service_role;
grant select, delete on vault.secrets, vault.decrypted_secrets to service_role;
grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to service_role;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this change be covered by tests somehow?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, only through manual tests. We don’t have a test harness that covers upgrades.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants