Server role has insufficient privileges

So, I created a UDF, that requires a server role:

  name: "Test",
  role: "server",
  body: Query(Lambda([], Get(CurrentToken())))

Whenever I call it from my server with the key, created with server role, I get an error:

  "errors": [
      "position": [],
      "code": "call error",
      "description": "Calling the function resulted in an error.",
      "cause": [
          "position": ["expr"],
          "code": "permission denied",
          "description": "Insufficient privileges to perform the action."

I would really appreciate it if anyone could help with this issue

Same if I call

await faunaDB.query(Get(CurrentToken()));

from my NodeJS server

Server roles do not have read access to read or write Keys or Tokens. The CurrentToken function gives you a Ref, but you will need different permissions to be able to read it.

Ouch! How come? Can I ever adjust it?

I was under impression that my server might be able to authorise my users and call FaunaDB in order to create a token for user. For now, I had to hack around with admin key, which I don’t really like

Yes. You can provide your UDF with a custom Role, by setting the role field. You can do this in the Dashboard UI by selecting the custom Role from the drop down, or directly in FQL

  name: "RoleToUpdateTokens",
  privileges: [
      resource: Tokens(),
      actions: {
        read: true
    // plus whatever else that you need
  membership: []

The server role is just one role that is provided out of the box. But you may of course provide keys with other custom roles to your server applications.

1 Like

I meant, if I could update server role, so that it was semantically correct for me that my server can mess with tokens. Seems not, and using other roles instead is not much of a headache.

I ended up assigning all the functions Admin role, so that they could do whatever they need, and granted my users access to only the functions they should be allowed to touch

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.