Is it possible to generate new role with apikey ?

[danielstaleiny]

I have successfully integrated one 3th party service to automatically insert to my DB, but this 3th party has limitation and I don't think I can login with any of the methods.

I would like to create new role which is basically anon role but with 1 extra permition to write to one of my table. Is it possible to create never changing apikey for this new role ?

Alernatively, I could use ADMIN secret key for this, but I don't want to share this key with 3th party.

[steve-chavez]

Hey @danielstaleiny,

Yes, you can do this now but there is a gotcha - the Kong api gateway only accepts the anon key or the service_role key for reaching postgrest. For postgrest's authorization bearer, you can use any role.

So for the request, you'll need to specify the anonkey(this has a 10 year exp default) plus a custom key that includes your role and any expiration. You can build this custom key with https://jwt.io/ and your API secret(at <your_project>/settings/api).

Some steps that might help:

-- create your role
create role third_partier;
grant third_partier to authenticator;
grant usage on schema public to third_partier;
-- assign any extra privilege here

-- create a function for testing
create or replace function show_current_user() returns name as $$
  select current_user;
$$ language sql; 

-- build your jwt key at https://jwt.io/ and put it on
export CUSTOM_KEY=xxxx

-- go to `<your_project>/api/default?rpc=show_current_user`, click the bash tab,
-- select the anon key in the dropdown and grab the curl call
curl -X POST 'https://<ref>.supabase.co/rest/v1/rpc/show_current_user' \
-H "Content-Type: application/json" \
-H "apikey: <ANON_KEY>" \
-H "Authorization: Bearer <CUSTOM_KEY>"

-- It should show "third_partier"  

Let me know if that works for you.

[danielstaleiny]

Yes, the main question and confusion was that the Kong api is accepting only anon/service_role.

I will test it out and report back.

Thank you for the info.