Superuser access to Supabase Vault
I am storing my Google 0auth tokens (for connecting Google Drive API to my app) in my Supabase Vault with an aid of an edge function but the last step after giving a consent fails to connect with Google Drive.
And when I investigate my edge function, I discovered this error below:
Failed to store access token: {\n code: "42501",\n details: null,\n hint: null,\n message: "permission denied for function _crypto_aead_det_noncegen"\n}\n"
Brainstorming with Claude, we (I mean Claude) concluded:
Issue: You Don't Have Superuser Permissions
The error means you're not running these commands with sufficient privileges. Vault's internal encryption functions require superuser access to grant permissions, which regular users don't have in Supabase.
How do I enable & grant permission to Supabase Vault for my RPC function?
Ideal architecture should be this:
User → Edge Function (JWT auth)
↓
RPC Function (ownership verification + SECURITY DEFINER)
↓
Vault (encryption)
Anybody has any ideas on how to solve this?
I would like to avoid accessing supabase vault directly via service role like this:
User → Edge Function (JWT auth)
↓
Vault directly (via service_role)
↓
Encryption
2 Replies
if you are running the rpc function with security definer then it should be running with the security permissions of the postgres user i think
could you share in vault how you are adding the secret (obfuscating any sensitive data of course)
This reddit post seems to show a similar issue to yours https://www.reddit.com/r/Supabase/comments/1lt1sjt/42501_permission_denied_for_function_crypto_aead/ and the resolution was using the
vault.create_secret function