diff --git a/nix/tests/expected/vault.out b/nix/tests/expected/vault.out
index e4eaff2e8..37ed9f519 100644
--- a/nix/tests/expected/vault.out
+++ b/nix/tests/expected/vault.out
@@ -1,42 +1,192 @@
-select
-  1
-from
-  vault.create_secret('my_s3kre3t');
+SET ROLE postgres;
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret('my_s3kre3t')
+) AS can_create_secret;
+ can_create_secret 
+-------------------
+ t
+(1 row)
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret(
+    'another_s3kre3t',
+    'unique_name',
+    'This is the description'
+  )
+) AS can_create_secret_with_params;
+ can_create_secret_with_params 
+-------------------------------
+ t
+(1 row)
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.secrets LIMIT 1
+) AS can_select_from_secrets;
+ can_select_from_secrets 
+-------------------------
+ t
+(1 row)
+
+DO $$
+BEGIN
+  INSERT INTO vault.secrets (secret)
+  VALUES ('s3kre3t_k3y');
+  EXCEPTION WHEN insufficient_privilege THEN RETURN;
+  RAISE EXCEPTION 'should not be able to insert into vault.secrets';
+END;
+$$ LANGUAGE PLPGSQL;
+SELECT EXISTS (
+  SELECT * FROM vault.decrypted_secrets LIMIT 1
+) AS can_select_from_decrypted_secrets;
+ can_select_from_decrypted_secrets 
+-----------------------------------
+ t
+(1 row)
+
+SELECT vault.create_secret('s', new_name := 'temp_secret_to_delete') IS NOT NULL; 
+ ?column? 
+----------
+ t
+(1 row)
+
+WITH deleted AS (
+  DELETE FROM vault.secrets
+  WHERE name = 'temp_secret_to_delete'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;
+ can_delete_from_secrets 
+-------------------------
+ t
+(1 row)
+
+SELECT vault.create_secret('temp_secret_to_delete_from_decrypted') IS NOT NULL;
  ?column? 
 ----------
-        1
+ t
 (1 row)
 
-select
-  1
-from
-  vault.create_secret(
+WITH deleted AS (
+  DELETE FROM vault.decrypted_secrets 
+  WHERE decrypted_secret = 'temp_secret_to_delete_from_decrypted'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;
+ can_delete_from_decrypted_secrets 
+-----------------------------------
+ t
+(1 row)
+
+WITH secret_id AS (
+  SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1
+)
+SELECT EXISTS (
+  SELECT 1 FROM vault.update_secret(
+    (SELECT id FROM secret_id),
+    'updated_secret'
+  )
+) AS can_update_secret;
+ can_update_secret 
+-------------------
+ t
+(1 row)
+
+SET ROLE service_role;
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret('my_s3kre3t')
+) AS can_create_secret;
+ can_create_secret 
+-------------------
+ t
+(1 row)
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret(
     'another_s3kre3t',
     'unique_name',
     'This is the description'
-  );
+  )
+) AS can_create_secret_with_params;
+ERROR:  duplicate key value violates unique constraint "secrets_name_idx"
+DETAIL:  Key (name)=(unique_name) already exists.
+CONTEXT:  SQL statement "INSERT INTO vault.secrets (secret, name, description)
+  VALUES (
+    new_secret,
+    new_name,
+    new_description
+  )
+  RETURNING *"
+PL/pgSQL function vault.create_secret(text,text,text,uuid) line 5 at SQL statement
+SELECT EXISTS (
+  SELECT 1 FROM vault.secrets LIMIT 1
+) AS can_select_from_secrets;
+ can_select_from_secrets 
+-------------------------
+ t
+(1 row)
+
+DO $$
+BEGIN
+  INSERT INTO vault.secrets (secret)
+  VALUES ('s3kre3t_k3y');
+  EXCEPTION WHEN insufficient_privilege THEN RETURN;
+  RAISE EXCEPTION 'should not be able to insert into vault.secrets';
+END;
+$$ LANGUAGE PLPGSQL;
+SELECT EXISTS (
+  SELECT name, description FROM vault.decrypted_secrets LIMIT 1
+) AS can_select_from_decrypted_secrets;
+ can_select_from_decrypted_secrets 
+-----------------------------------
+ t
+(1 row)
+
+SELECT vault.create_secret('', new_name := 'temp_secret_to_delete') IS NOT NULL; 
  ?column? 
 ----------
-        1
-(1 row)
-
-insert into vault.secrets (secret)
-values
-  ('s3kre3t_k3y');
-select
-  name,
-  description
-from
-  vault.decrypted_secrets 
-order by
-  created_at desc 
-limit
-  3;
-    name     |       description       
--------------+-------------------------
-             | 
- unique_name | This is the description
-             | 
-(3 rows)
-
- 
+ t
+(1 row)
+
+WITH deleted AS (
+  DELETE FROM vault.secrets
+  WHERE name = 'temp_secret_to_delete'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;
+ can_delete_from_secrets 
+-------------------------
+ t
+(1 row)
+
+SELECT vault.create_secret('temp_secret_to_delete_from_decrypted') IS NOT NULL;
+ ?column? 
+----------
+ t
+(1 row)
+
+WITH deleted AS (
+  DELETE FROM vault.decrypted_secrets 
+  WHERE decrypted_secret = 'temp_secret_to_delete_from_decrypted'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;
+ can_delete_from_decrypted_secrets 
+-----------------------------------
+ t
+(1 row)
+
+WITH secret_id AS (
+  SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1
+)
+SELECT EXISTS (
+  SELECT 1 FROM vault.update_secret(
+    (SELECT id FROM secret_id),
+    'updated_secret'
+  )
+) AS can_update_secret;
+ can_update_secret 
+-------------------
+ t
+(1 row)
+
+RESET ROLE;
diff --git a/nix/tests/sql/vault.sql b/nix/tests/sql/vault.sql
index bafcb4df8..50b02131d 100644
--- a/nix/tests/sql/vault.sql
+++ b/nix/tests/sql/vault.sql
@@ -1,30 +1,115 @@
-select
-  1
-from
-  vault.create_secret('my_s3kre3t');
-
-select
-  1
-from
-  vault.create_secret(
+SET ROLE postgres;
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret('my_s3kre3t')
+) AS can_create_secret;
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret(
     'another_s3kre3t',
     'unique_name',
     'This is the description'
-  );
+  )
+) AS can_create_secret_with_params;
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.secrets LIMIT 1
+) AS can_select_from_secrets;
+
+DO $$
+BEGIN
+  INSERT INTO vault.secrets (secret)
+  VALUES ('s3kre3t_k3y');
+  EXCEPTION WHEN insufficient_privilege THEN RETURN;
+  RAISE EXCEPTION 'should not be able to insert into vault.secrets';
+END;
+$$ LANGUAGE PLPGSQL;
+
+SELECT EXISTS (
+  SELECT * FROM vault.decrypted_secrets LIMIT 1
+) AS can_select_from_decrypted_secrets;
+
+SELECT vault.create_secret('s', new_name := 'temp_secret_to_delete') IS NOT NULL; 
+WITH deleted AS (
+  DELETE FROM vault.secrets
+  WHERE name = 'temp_secret_to_delete'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;
+
+SELECT vault.create_secret('temp_secret_to_delete_from_decrypted') IS NOT NULL;
+WITH deleted AS (
+  DELETE FROM vault.decrypted_secrets 
+  WHERE decrypted_secret = 'temp_secret_to_delete_from_decrypted'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;
+
+WITH secret_id AS (
+  SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1
+)
+SELECT EXISTS (
+  SELECT 1 FROM vault.update_secret(
+    (SELECT id FROM secret_id),
+    'updated_secret'
+  )
+) AS can_update_secret;
+
+SET ROLE service_role;
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret('my_s3kre3t')
+) AS can_create_secret;
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.create_secret(
+    'another_s3kre3t',
+    'unique_name',
+    'This is the description'
+  )
+) AS can_create_secret_with_params;
+
+SELECT EXISTS (
+  SELECT 1 FROM vault.secrets LIMIT 1
+) AS can_select_from_secrets;
+
+DO $$
+BEGIN
+  INSERT INTO vault.secrets (secret)
+  VALUES ('s3kre3t_k3y');
+  EXCEPTION WHEN insufficient_privilege THEN RETURN;
+  RAISE EXCEPTION 'should not be able to insert into vault.secrets';
+END;
+$$ LANGUAGE PLPGSQL;
+
+SELECT EXISTS (
+  SELECT name, description FROM vault.decrypted_secrets LIMIT 1
+) AS can_select_from_decrypted_secrets;
 
-insert into vault.secrets (secret)
-values
-  ('s3kre3t_k3y');
+SELECT vault.create_secret('', new_name := 'temp_secret_to_delete') IS NOT NULL; 
+WITH deleted AS (
+  DELETE FROM vault.secrets
+  WHERE name = 'temp_secret_to_delete'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_secrets;
 
-select
-  name,
-  description
-from
-  vault.decrypted_secrets 
-order by
-  created_at desc 
-limit
-  3;
- 
+SELECT vault.create_secret('temp_secret_to_delete_from_decrypted') IS NOT NULL;
+WITH deleted AS (
+  DELETE FROM vault.decrypted_secrets 
+  WHERE decrypted_secret = 'temp_secret_to_delete_from_decrypted'
+  RETURNING 1
+)
+SELECT EXISTS (SELECT 1 FROM deleted) AS can_delete_from_decrypted_secrets;
 
+WITH secret_id AS (
+  SELECT id FROM vault.secrets ORDER BY created_at DESC LIMIT 1
+)
+SELECT EXISTS (
+  SELECT 1 FROM vault.update_secret(
+    (SELECT id FROM secret_id),
+    'updated_secret'
+  )
+) AS can_update_secret;
 
+RESET ROLE;