Server role has insufficient privileges

Orimay · November 7, 2021, 12:58am

So, I created a UDF, that requires a server role:

{
  name: "Test",
  role: "server",
  body: Query(Lambda([], Get(CurrentToken())))
}

Whenever I call it from my server with the key, created with server role, I get an error:

{
  "errors": [
    {
      "position": [],
      "code": "call error",
      "description": "Calling the function resulted in an error.",
      "cause": [
        {
          "position": ["expr"],
          "code": "permission denied",
          "description": "Insufficient privileges to perform the action."
        }
      ]
    }
  ]
}

I would really appreciate it if anyone could help with this issue

Orimay · November 7, 2021, 5:41pm

Same if I call

await faunaDB.query(Get(CurrentToken()));

from my NodeJS server

ptpaterson · November 8, 2021, 10:36pm

Server roles do not have read access to read or write Keys or Tokens. The CurrentToken function gives you a Ref, but you will need different permissions to be able to read it.

Orimay · November 9, 2021, 12:50am

Ouch! How come? Can I ever adjust it?

I was under impression that my server might be able to authorise my users and call FaunaDB in order to create a token for user. For now, I had to hack around with admin key, which I don’t really like

ptpaterson · November 9, 2021, 1:31am

Yes. You can provide your UDF with a custom Role, by setting the role field. You can do this in the Dashboard UI by selecting the custom Role from the drop down, or directly in FQL

CreateRole({
  name: "RoleToUpdateTokens",
  privileges: [
    {
      resource: Tokens(),
      actions: {
        read: true
      }
    }
    // plus whatever else that you need
  ],
  membership: []
})

The server role is just one role that is provided out of the box. But you may of course provide keys with other custom roles to your server applications.

Orimay · November 9, 2021, 1:39am

I meant, if I could update server role, so that it was semantically correct for me that my server can mess with tokens. Seems not, and using other roles instead is not much of a headache.

I ended up assigning all the functions Admin role, so that they could do whatever they need, and granted my users access to only the functions they should be allowed to touch

system · November 11, 2021, 1:40am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't refresh token via client call – permission denied Help udfs , functions	4	498	November 9, 2021
Permission Error on Create Tokens FQL Function Help fql	4	594	May 4, 2021
Setting up role privileges from JS drivers Help authentication , functions , javascript	2	460	November 16, 2020
Insufficient Privileges when using token Help fql , authentication	2	1161	February 17, 2021
KeyFromSecret gives me a permission denied Help fql , authentication	9	286	November 17, 2022

Server role has insufficient privileges

Related Topics