From 06ba9f5df5a77a1dab56c19e19f6e95f6eb7774c Mon Sep 17 00:00:00 2001
From: Gavin Frazar <gavin.frazar@goteleport.com>
Date: Mon, 6 Jan 2025 11:06:01 -0800
Subject: [PATCH] Fix auto user role grant (#50782)

---
 lib/srv/db/postgres/users.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/srv/db/postgres/users.go b/lib/srv/db/postgres/users.go
index a902a85298c08..56fb14a2dd9d8 100644
--- a/lib/srv/db/postgres/users.go
+++ b/lib/srv/db/postgres/users.go
@@ -430,13 +430,14 @@ func (e *Engine) updateAutoUsersRole(ctx context.Context, conn *pgx.Conn, adminU
 	// support WITH INHERIT FALSE or WITH SET FALSE syntax, so we only specify
 	// WITH ADMIN OPTION.
 	// See: https://www.postgresql.org/docs/16/release-16.html
-	stmt := fmt.Sprintf("grant role %q to %q WITH ADMIN OPTION", teleportAutoUserRole, adminUser)
+	stmt := fmt.Sprintf("grant %q to %q WITH ADMIN OPTION", teleportAutoUserRole, adminUser)
 	_, err = conn.Exec(ctx, stmt)
 	if err != nil {
 		if !strings.Contains(err.Error(), "cannot be granted back") && !strings.Contains(err.Error(), "already") {
 			e.Log.DebugContext(ctx, "Failed to grant required role to the Teleport database admin, user auto-provisioning may not work until the database admin is granted the role by a superuser",
 				"role", teleportAutoUserRole,
 				"database_admin", adminUser,
+				"error", err,
 			)
 		}
 	}