1

I am trying to query a secret from supabase vault into my app but I am not sure how to do that.

Do I need to create a rpc function or is it possible to use the postgREST API? For the latter, what is the right endpoint?

Thanks

Christian
  • 834
  • 7
  • 18

1 Answers1

1

You cannot get the secrets itself stored on Vault from your client applications, but you can use Vault to encrypt your data in your database.

You can follow this guide to encrypt a column. You would need to use a security definer database function when accessing the encrypted column.

dshukertjr
  • 15,244
  • 11
  • 57
  • 94
  • Okay I have created a new table `keys` for my encrypted values. When I try to access the `decrypted_keys` view, I am getting an error : `PostgrestException(message: permission denied for function crypto_aead_det_decrypt, code: 42501, details: Forbidden, hint: null)` So far, I have added a "must be authenticated" RLS policy to the `keys` table – Christian Jun 07 '23 at 10:30
  • @Christian Are you trying to access the decrypted view directly from your client using the `supabase.from()` syntax? If that is the case, it will not work because of how the permission is setup. You would need to create security definer function to access those values from the client. https://supabase.com/docs/guides/database/functions#security-definer-vs-invoker – dshukertjr Jun 07 '23 at 15:14
  • Okay thanks, I got it to work. However there is one more thing I am not sure about: Is it safe to load all secrets at once and keep them in cache for as long as the app runs, or should I get each key on demand? – Christian Jun 12 '23 at 17:45
  • @Christian That totally depends on nature of your app, and it is totally up to you! – dshukertjr Jun 13 '23 at 03:41
  • Okay thats good. I am following the guide you posted earlier but there is a section about privileges. Do I need to change any privileges for the created function or can I leave them as they are? – Christian Jun 14 '23 at 15:32
  • @Christian Again, it depends on the nature of your app and the function definition of your database function. I'm guessing you have created a function that returns some user specific data, but you should be fine as long as the way you retrieve those user specific data is through using the `auth.uid()` function, and not from using the parameters of the function. Anyone can call the function with any parameters, but no one can manipulate the result of `auth.uid()`. – dshukertjr Jun 14 '23 at 15:46
  • Actually I am trying to create a table that holds all api keys and secrets that my app needs. So there is no user_id column there. This is my function: https://pastebin.com/r7XPWwF1 – Christian Jun 14 '23 at 17:12
  • @Christian Vault is meant to store keys that you need to use within your database, and if you have other keys, they should be stored in a traditional way like storing them as environment variables. – dshukertjr Jun 15 '23 at 03:53
  • 1
    Okay so I guess my understanding was wrong. I was thinking this can be used like the SecretManager from Google for example. – Christian Jun 15 '23 at 08:08