From 784cfed1fb3c61047bb81db2aa9283c1cb8e81a3 Mon Sep 17 00:00:00 2001
From: Gavin Frazar <gavin.frazar@goteleport.com>
Date: Fri, 3 Jan 2025 12:20:51 -0800
Subject: [PATCH] Fix auto user role grant

---
 lib/srv/db/postgres/users.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/srv/db/postgres/users.go b/lib/srv/db/postgres/users.go
index 8be3eaef82191..95429c972f36c 100644
--- a/lib/srv/db/postgres/users.go
+++ b/lib/srv/db/postgres/users.go
@@ -430,13 +430,14 @@ func (e *Engine) updateAutoUsersRole(ctx context.Context, conn *pgx.Conn, adminU
 	// support WITH INHERIT FALSE or WITH SET FALSE syntax, so we only specify
 	// WITH ADMIN OPTION.
 	// See: https://www.postgresql.org/docs/16/release-16.html
-	stmt := fmt.Sprintf("grant role %q to %q WITH ADMIN OPTION", teleportAutoUserRole, adminUser)
+	stmt := fmt.Sprintf("grant %q to %q WITH ADMIN OPTION", teleportAutoUserRole, adminUser)
 	_, err = conn.Exec(ctx, stmt)
 	if err != nil {
 		if !strings.Contains(err.Error(), "cannot be granted back") && !strings.Contains(err.Error(), "already") {
 			e.Log.DebugContext(ctx, "Failed to grant required role to the Teleport database admin, user auto-provisioning may not work until the database admin is granted the role by a superuser",
 				"role", teleportAutoUserRole,
 				"database_admin", adminUser,
+				"error", err,
 			)
 		}
 	}