diff --git a/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
index 344368f49..907c67ebf 100644
--- a/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
+++ b/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
@@ -1,4 +1,3 @@
 grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
 grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
 grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
-grant execute on function pgsodium.crypto_aead_det_noncegen to service_role;
diff --git a/ansible/tasks/internal/supautils.yml b/ansible/tasks/internal/supautils.yml
index 969d39dd6..33811b5ac 100644
--- a/ansible/tasks/internal/supautils.yml
+++ b/ansible/tasks/internal/supautils.yml
@@ -49,11 +49,17 @@
 
 - name: supautils - copy extension custom scripts
   copy:
-    src: files/postgresql_extension_custom_scripts
+    src: files/postgresql_extension_custom_scripts/
     dest: /etc/postgresql-custom/extension-custom-scripts
-    mode: 0664
+  become: yes
+
+- name: supautils - chown extension custom scripts
+  file:
+    mode: 0775
     owner: postgres
     group: postgres
+    path: /etc/postgresql-custom/extension-custom-scripts
+    recurse: yes
   become: yes
 
 - name: supautils - include /etc/postgresql-custom/supautils.conf in postgresql.conf
diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl
index 4b72e7be1..7afd79b07 100644
--- a/common.vars.pkr.hcl
+++ b/common.vars.pkr.hcl
@@ -1 +1 @@
-postgres-version = "15.1.0.17-rc1"
+postgres-version = "15.1.0.17-rc2"
diff --git a/ebssurrogate/files/unit-tests/unit-test-01.sql b/ebssurrogate/files/unit-tests/unit-test-01.sql
index cefe1feb8..3b28abe4f 100644
--- a/ebssurrogate/files/unit-tests/unit-test-01.sql
+++ b/ebssurrogate/files/unit-tests/unit-test-01.sql
@@ -1,5 +1,5 @@
 BEGIN;
-SELECT plan(9);
+SELECT plan(8);
 
 -- Check installed extensions
 SELECT extensions_are(
@@ -26,7 +26,6 @@ SELECT has_schema('public');
 SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
 SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
 SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']);
-SELECT function_privs_are('pgsodium', 'crypto_aead_det_noncegen', array[]::text[], 'service_role', array['EXECUTE']);
 
 SELECT * from finish();
 ROLLBACK;
diff --git a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql
index 2ebb7703e..9a863bdaf 100644
--- a/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql
+++ b/migrations/db/migrations/20221207154255_create_pgsodium_and_vault.sql
@@ -6,6 +6,10 @@ grant pgsodium_keyiduser to postgres with admin option;
 grant pgsodium_keyholder to postgres with admin option;
 grant pgsodium_keymaker  to postgres with admin option;
 
+grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
+grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
+grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
+
 -- create extension if not exists supabase_vault;
 
 -- migrate:down
diff --git a/migrations/tests/database/privs.sql b/migrations/tests/database/privs.sql
index 80e9048ac..cedf41fcc 100644
--- a/migrations/tests/database/privs.sql
+++ b/migrations/tests/database/privs.sql
@@ -3,7 +3,6 @@ SELECT database_privs_are(
     'postgres', 'postgres', ARRAY['CONNECT', 'TEMPORARY', 'CREATE']
 );
 
--- SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
--- SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
--- SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']);
--- SELECT function_privs_are('pgsodium', 'crypto_aead_det_noncegen', array[]::text[], 'service_role', array['EXECUTE']);
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']);
diff --git a/migrations/tests/test.sql b/migrations/tests/test.sql
index d3b08c21e..637fef987 100644
--- a/migrations/tests/test.sql
+++ b/migrations/tests/test.sql
@@ -2,7 +2,7 @@ CREATE EXTENSION IF NOT EXISTS pgtap;
 
 BEGIN;
 
-SELECT plan(10);
+SELECT plan(13);
 
 \ir fixtures.sql
 \ir database/test.sql