fix: missing Vault privileges for postgres

soedirgo · soedirgo · commit a74b26a0d5d3 · 2025-04-22T22:10:52.000+08:00
diff --git a/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql
@@ -1,5 +1,5 @@
 grant usage on schema vault to postgres with grant option;
-grant select, delete on vault.secrets, vault.decrypted_secrets to postgres with grant option;
+grant select, delete, truncate, references on vault.secrets, vault.decrypted_secrets to postgres with grant option;
 grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
 
 -- service_role used to be able to manage secrets in Vault <=0.2.8 because it had privileges to pgsodium functions
diff --git a/nix/tests/expected/vault.out b/nix/tests/expected/vault.out
@@ -36,7 +36,9 @@ ORDER BY object_name, grantee, privilege_type;
  vault  | create_secret             | service_role   | EXECUTE
  vault  | create_secret             | supabase_admin | EXECUTE
  vault  | decrypted_secrets         | postgres       | DELETE
+ vault  | decrypted_secrets         | postgres       | REFERENCES
  vault  | decrypted_secrets         | postgres       | SELECT
+ vault  | decrypted_secrets         | postgres       | TRUNCATE
  vault  | decrypted_secrets         | service_role   | DELETE
  vault  | decrypted_secrets         | service_role   | SELECT
  vault  | decrypted_secrets         | supabase_admin | DELETE
@@ -47,7 +49,9 @@ ORDER BY object_name, grantee, privilege_type;
  vault  | decrypted_secrets         | supabase_admin | TRUNCATE
  vault  | decrypted_secrets         | supabase_admin | UPDATE
  vault  | secrets                   | postgres       | DELETE
+ vault  | secrets                   | postgres       | REFERENCES
  vault  | secrets                   | postgres       | SELECT
+ vault  | secrets                   | postgres       | TRUNCATE
  vault  | secrets                   | service_role   | DELETE
  vault  | secrets                   | service_role   | SELECT
  vault  | secrets                   | supabase_admin | DELETE
@@ -60,7 +64,7 @@ ORDER BY object_name, grantee, privilege_type;
  vault  | update_secret             | postgres       | EXECUTE
  vault  | update_secret             | service_role   | EXECUTE
  vault  | update_secret             | supabase_admin | EXECUTE
-(33 rows)
+(37 rows)
 
 -- vault indexes with owners
 SELECT
