Secret Variables

Project Runtime Secrets

Runtime configuration is loaded from settings/.env in local development and mounted into containers at /app/settings/.env in Cloud Run.

Secret Name	Description
`ENVIRONMENT`	Runtime environment such as `local`, `test`, or `production`
`GOOGLE_SERVICE_ACCOUNT_CREDENTIALS`	Optional JSON credentials blob for Google Cloud clients
`PROJECT_BUCKET_NAME`	Bucket used for shared project resources
`DB_HOST`	Local PostgreSQL host
`DB_PORT`	PostgreSQL port
`DB_NAME`	Database name
`DB_USER`	Database username
`DB_PASSWORD`	Database password
`DB_PRIVATE_IP`	Private IP for Cloud SQL connectivity
`DB_CONNECTION_NAME`	Cloud SQL connection name
`DB_INSTANCE_UNIX_SOCKET`	Unix socket path for Cloud SQL
`FLASK_SECRET_KEY`	Flask session secret for admin
`FLASK_SECURITY_PASSWORD_SALT`	Password salt for admin
`FLASK_BASIC_AUTH_USERNAME`	Basic-auth username for admin
`FLASK_BASIC_AUTH_PASSWORD`	Basic-auth password for admin
`SENDGRID_API_KEY`	SendGrid API key
`FROM_ADDRESS`	Default sender address
`SENTRY_DSN`	Sentry DSN
`SENTRY_ENVIRONMENT`	Sentry environment tag
`SENTRY_ENABLE_TRACING`	Enable request tracing
`SENTRY_TRACES_SAMPLE_RATE`	Trace sample rate
`SENTRY_PROFILES_SAMPLE_RATE`	Profile sample rate

GitHub Actions Secrets

Secret Name	Description
`GCP_PROJECT_ID`	Google Cloud project ID
`GCP_PROVIDER_ID`	Workload identity provider ID
`GCP_SERVICE_ACCOUNT_EMAIL`	Deployment service account email
`CAS_SERVICES_ENV_B64_DEV`	Base64-encoded environment file for development deployments
`CAS_SERVICES_ENV_B64_PROD`	Base64-encoded environment file for production deployments
`TEST_API_KEY`	API key used by integration-test automation

Notes

The authoritative list of runtime fields is cellarium.cas_backend.core.config. Update this page when new required environment variables are introduced for developers or CI/CD.