Secrets Check After Cloud SQL Proxy Fix
✅ No Secret Values Need to Change
The Cloud SQL Proxy fix does NOT require any secret value changes. The existing secrets are already in the correct format.
Current Secret Format (Already Correct)
METABASE_DB_CONNECTION_URI
The connection URI format is correct and doesn't need to change:
Staging:
postgresql://metabase_user:pDOiV4mWp0UmC8cmCblyASd7BvQbJY4L@/metabase?host=/cloudsql/barto-dev:us-central1:metabase-db-staging
Production:
postgresql://metabase_user:iNE3VNQz1qYH9OLi64XQwG5K9CVM%2FfJv@/metabase?host=/cloudsql/barto-prod:us-central1:metabase-db-production
Why it's correct:
- The workflow parses this URI and extracts: user, password, dbname
- It then sets
MB_DB_HOST=127.0.0.1(for Cloud SQL Proxy) automatically - The
/cloudsql/instancein the host parameter is just used to identify which instance to connect to - Cloud SQL Proxy handles the actual connection using the annotation we set
What the Workflow Does
-
Parses
METABASE_DB_CONNECTION_URIto extract:MB_DB_USER(from URI username)MB_DB_PASS(from URI password, URL-decoded)MB_DB_DBNAME(from URI path)- Cloud SQL instance name (from
hostparameter)
-
Sets environment variables for Metabase:
MB_DB_TYPE=postgresMB_DB_HOST=127.0.0.1← This is the key change for Cloud SQL ProxyMB_DB_PORT=5432MB_DB_USER,MB_DB_PASS,MB_DB_DBNAME(from parsed URI)
-
Sets Cloud SQL annotation on the service:
run.googleapis.com/cloudsql-instances=barto-dev:us-central1:metabase-db-staging,barto-dev:us-central1:flowpos-db
Secret That May Need Updating (After Deployment)
METABASE_SITE_URL
This should be updated after the first successful deployment to match the actual Cloud Run service URL.
How to get the URL:
# Staging
gcloud run services describe flowpos-metabase-staging \
--region=us-central1 \
--project=barto-dev \
--format="value(status.url)"
# Production
gcloud run services describe flowpos-metabase-production \
--region=us-central1 \
--project=barto-prod \
--format="value(status.url)"
Update in GitHub Secrets:
- Go to: Settings → Secrets and variables → Actions
- Select the environment (staging or production)
- Update
METABASE_SITE_URLwith the actual URL
Or use the workflow output: The deployment workflow will show the URL and remind you to update it:
✅ Metabase deployed successfully!
🌐 Service URL: https://flowpos-metabase-staging-xxxxx.a.run.app
📝 Next step: Update METABASE_SITE_URL in GitHub Secrets
Verification Checklist
After deployment, verify these secrets are set correctly:
Staging Environment
-
METABASE_DB_CONNECTION_URI- Format:postgresql://user:pass@/dbname?host=/cloudsql/instance -
METABASE_EMBED_SECRET_KEY- Must match backend secret -
METABASE_SITE_URL- Update after deployment with actual URL -
MB_ANON_TRACKING_ENABLED- Optional (defaults tofalse) -
MB_ENABLE_PUBLIC_SHARING- Optional (defaults tofalse)
Production Environment
-
METABASE_DB_CONNECTION_URI- Format:postgresql://user:pass@/dbname?host=/cloudsql/instance -
METABASE_EMBED_SECRET_KEY- Must match backend secret -
METABASE_SITE_URL- Update after deployment with actual URL -
MB_ANON_TRACKING_ENABLED- Optional (defaults tofalse) -
MB_ENABLE_PUBLIC_SHARING- Optional (defaults tofalse)
Summary
✅ No secret values need to be changed - the existing format is correct
✅ The workflow automatically converts the connection URI to Cloud SQL Proxy format
⚠️ Only METABASE_SITE_URL needs to be updated after first deployment (workflow will remind you)
The Cloud SQL Proxy fix works with your existing secrets - no changes needed!