Superuser access to Supabase Vault
I am storing my Google 0auth tokens (for connecting Google Drive API to my app) in my Supabase Vault with an aid of an edge function but the last step after giving a consent fails to connect with Google Drive.
And when I investigate my edge function, I discovered this error below:
Failed to store access token: {\n code: "42501",\n details: null,\n hint: null,\n message: "permission denied for function _crypto_aead_det_noncegen"\n}\n"
Brainstorming with Claude, we (I mean Claude) concluded:
Issue: You Don't Have Superuser Permissions
The error means you're not running these commands with sufficient privileges. Vault's internal encryption functions require superuser access to grant permissions, which regular users don't have in Supabase.
How do I enable & grant permission to Supabase Vault for my RPC function?
Ideal architecture should be this:
User → Edge Function (JWT auth)
↓
RPC Function (ownership verification + SECURITY DEFINER)
↓
Vault (encryption)
Anybody has any ideas on how to solve this?
I would like to avoid accessing supabase vault directly via service role like this:
User → Edge Function (JWT auth)
↓
Vault directly (via service_role)
↓
Encryption
And when I investigate my edge function, I discovered this error below:
Failed to store access token: {\n code: "42501",\n details: null,\n hint: null,\n message: "permission denied for function _crypto_aead_det_noncegen"\n}\n"
Brainstorming with Claude, we (I mean Claude) concluded:
Issue: You Don't Have Superuser Permissions
The error means you're not running these commands with sufficient privileges. Vault's internal encryption functions require superuser access to grant permissions, which regular users don't have in Supabase.
How do I enable & grant permission to Supabase Vault for my RPC function?
Ideal architecture should be this:
User → Edge Function (JWT auth)
↓
RPC Function (ownership verification + SECURITY DEFINER)
↓
Vault (encryption)
Anybody has any ideas on how to solve this?
I would like to avoid accessing supabase vault directly via service role like this:
User → Edge Function (JWT auth)
↓
Vault directly (via service_role)
↓
Encryption
