S
Supabase8mo ago
jay_ee.

using the service role key but supabase thinks im anon

when i interact with my db using the python client (create_client) with the supabase service role key, then it throws a RLS error when i try to POST (not for GET). supabase logs shows the error and i can read role: anon
7 Replies
garyaustin
garyaustin8mo ago
Please clear up or show what you are doing. You say you are using anon key in create_client, but not the title of your post.
jay_ee.
jay_ee.OP8mo ago
sorry, its the supabase service role key 
     # Initialize process-specific resources with proper service role config
        supabase_staging = create_client(
            SUPABASE_STAGING_URL,
            SUPABASE_STAGING_KEY,
            options=ClientOptions(
                auto_refresh_token=False,
                persist_session=False
            )
        )
     # Initialize process-specific resources with proper service role config
        supabase_staging = create_client(
            SUPABASE_STAGING_URL,
            SUPABASE_STAGING_KEY,
            options=ClientOptions(
                auto_refresh_token=False,
                persist_session=False
            )
        )
SUPABASE_STAGING_KEY = SERVICE ROLE then i get the error: ""HTTP/2 401 Unauthorized""} ❌ Error storing data to Supabase: {'code': '42501', 'details': None, 'hint': None, 'message': 'new row violates row-level security policy for table "inferred_trips"'} " and i supabase logs i can see that the db thinks i am anon: 
              }
                ],
                "authorization": [
                  {
                    "invalid": null,
                    "payload": [
                      {
                        "algorithm": "HS256",
                        "issuer": "supabase",
                        "key_id": null,
                        "role": "anon",
                        "signature_prefix": "emnzYt",
                        "subject": null
                      }
                    ]
                  }
                ]
              }
            ]
              }
                ],
                "authorization": [
                  {
                    "invalid": null,
                    "payload": [
                      {
                        "algorithm": "HS256",
                        "issuer": "supabase",
                        "key_id": null,
                        "role": "anon",
                        "signature_prefix": "emnzYt",
                        "subject": null
                      }
                    ]
                  }
                ]
              }
            ]
garyaustin
garyaustin8mo ago
Well for some reason then your call is not using that client or you are putting in anon key at some point after into the Authorization header. There is nothing that will switch an API call jwt from service_role to anon after it leaves your code.
jay_ee.
jay_ee.OP8mo ago
i create the client only once can i create a user to bypass rls and authenticate with that user using the python client?
garyaustin
garyaustin8mo ago
service_role initialization will bypass RLS. There is no other user that can do that. You will probably need to have a reproducible repository for someone using python to help you if you can't find what you are doing to either init with service_role key or replace it with anon key later.
There is no known bug and no other users are reporting any issues doing this.
jay_ee.
jay_ee.OP8mo ago
and the create_client statement for init the service_role is correct yes? there is no special initialization required? just passing the service role key instaed of the anon key? i created a new key and now it throws this 
"method": "GET",
  "path": "/rest/v1/locations",
  "port": null,
  "protocol": "https:",
  "sb": [
    {
      "auth_user": null,
      "jwt": [
        {
          "apikey": [
            {
              "invalid": null,
              "payload": [
                {
                  "algorithm": "HS256",
                  "issuer": "supabase",
                  "role": "anon",
                  "signature_prefix": "emnzYt",
                  "subject": null
                }
              ]
            }
          ],
          "authorization": [
            {
              "invalid": null,
              "payload": [
                {
                  "algorithm": "HS256",
                  "issuer": "supabase",
                  "key_id": null,
                  "role": "anon",
                  "signature_prefix": "emnzYt",
                  "subject": null
                }
              ]
            }
          ]
        }
      ]
    }
"method": "GET",
  "path": "/rest/v1/locations",
  "port": null,
  "protocol": "https:",
  "sb": [
    {
      "auth_user": null,
      "jwt": [
        {
          "apikey": [
            {
              "invalid": null,
              "payload": [
                {
                  "algorithm": "HS256",
                  "issuer": "supabase",
                  "role": "anon",
                  "signature_prefix": "emnzYt",
                  "subject": null
                }
              ]
            }
          ],
          "authorization": [
            {
              "invalid": null,
              "payload": [
                {
                  "algorithm": "HS256",
                  "issuer": "supabase",
                  "key_id": null,
                  "role": "anon",
                  "signature_prefix": "emnzYt",
                  "subject": null
                }
              ]
            }
          ]
        }
      ]
    }
garyaustin
garyaustin8mo ago
Yes, that is all that is needed. It is clearly saying you are sending anon in the apikey (not just the authorization header). So you are not replacing the authorization header or doing a user session in the client later which would change the authorization value and not the apikey value. The client calling Supabase has createClient done with anon key.

Did you find this page helpful?