feat: allow vault secret lookup by name in _id options (supabase#591)

wenerme · burmecia · web-flow · commit 90184a4a82c8 · 2026-03-31T12:06:35.000+11:00
* feat: allow vault secret lookup by name in `_id` options

Change `get_vault_secret()` to fall back to name-based lookup when
the input is not a valid UUID.

This allows all FDW `*_id` options (e.g. `conn_string_id`,
`api_key_id`, `bearer_token_id`) to accept either a vault secret
UUID or a human-readable name, making configuration easier:

```sql
-- Before: only UUID worked
OPTIONS (conn_string_id 'a1b2c3d4-e5f6-...')

-- Now: name also works
OPTIONS (conn_string_id 'my_mysql_prod')
```

Since vault secret names are human-readable labels that cannot be
valid UUIDs, there is no ambiguity. Existing UUID-based usage is
completely unaffected.

* feat: update get_vault_secret to accept secret name or ID

---------

Co-authored-by: Bo Lu &lt;lv.patrick@gmail.com&gt;
diff --git a/supabase-wrappers/src/utils.rs b/supabase-wrappers/src/utils.rs
@@ -355,12 +355,19 @@ pub fn create_async_runtime() -> Result<Runtime, CreateRuntimeError> {
     Ok(Builder::new_current_thread().enable_all().build()?)
 }
 
-/// Get decrypted secret from Vault by secret ID
+/// Get decrypted secret from Vault by secret ID or name
 ///
-/// Get decrypted secret as string from Vault by secret ID. Vault is an extension for storing
-/// encrypted secrets, [see more details](https://github.com/supabase/vault).
-pub fn get_vault_secret(secret_id: &str) -> Option<String> {
-    match Uuid::try_parse(secret_id) {
+/// If the value is a valid UUID, look up by `id` or `key_id`.
+/// Otherwise, fall back to lookup by `name`, since vault secret names
+/// cannot be valid UUIDs (they are human-readable labels).
+///
+/// This allows all FDW `*_id` options (e.g. `conn_string_id`, `api_key_id`)
+/// to accept either a UUID or a vault secret name.
+///
+/// Vault is an extension for storing encrypted secrets,
+/// [see more details](https://github.com/supabase/vault).
+pub fn get_vault_secret(secret_id_or_name: &str) -> Option<String> {
+    match Uuid::try_parse(secret_id_or_name) {
         Ok(sid) => {
             let sid = sid.into_bytes();
             match Spi::get_one_with_args::<String>(
@@ -371,19 +378,13 @@ pub fn get_vault_secret(secret_id: &str) -> Option<String> {
                 Err(err) => {
                     report_error(
                         PgSqlErrorCode::ERRCODE_FDW_ERROR,
-                        &format!("query vault failed \"{secret_id}\": {err}"),
+                        &format!("query vault failed \"{secret_id_or_name}\": {err}"),
                     );
                     None
                 }
             }
         }
-        Err(err) => {
-            report_error(
-                PgSqlErrorCode::ERRCODE_FDW_ERROR,
-                &format!("invalid secret id \"{secret_id}\": {err}"),
-            );
-            None
-        }
+        Err(_) => get_vault_secret_by_name(secret_id_or_name),
     }
 }
 
