Getting decrypted vault value server-side
I am trying to query a secret from my vault on my server using my service role key. I am doing this in python. I cant get it to work, i get error "The schema must be one of the following: public, graphql_public". Is there a way to do this?
13 Replies
Do i have to set up a db function to do it for me?
Yes. You don't have access to vault schema by default and really should not add it to the API.
ok @garyaustin thanks i set up the function to read when needed. Do i also need a function for inserting? The vault.create_secret function fails when i try to call it with my service role client. The docs don't give me too much information on what to do either
I guess i need a public.create_vault_secret function that is security definer since even the service key doesnt have insert rights for the vault schema?
I don't know. In general Vault is intended for internal secrets for the DB. But with a security definer function (only granted to service_role. If I remember right you insert to Vault with a function and not direct table operation.
Yeah i feel like i am going against some of the vault security guardrails but i dont really know what else to do
i need to insert and read secrets in my backend. Is vault not really meant for this?
I don't know that they defined a specific intent other than the secrets can't be access from backups.
It is not intended for things like a secret per user of your app.
that is exactly what im using it for right now
damn
What is your goal with such secrets?
You can read them anyway in the DB so they are not secret from you or anyone on your team.
They essentially are per-user secrets but they are used by us to perform actions for the user in the backend
So they are technically owned by us but each one applies to a specific user if that makes sense
I dont really know what to do with them. I suppose i could store them encrypted in a normal table with only the encryption key stored in the vault
Why do they need to be encrypted? Are you worried about only the backup case of them being leaked? That is all Vault protects from.
i guess they don't have to be
maybe a normal table is just the way to go
Not really my realm though but Supabase took away the encryption column stuff because they felt it was being abused for stuff that did not need to be encrypted. Encryption/decryption is very painful on resources for the DB.
alright i see
thanks for the help
i think just a normal table in maybe a separate schema is what ill do