Skip to main content

Secrets Update Guide for Unix Socket Configuration

✅ Good News: No Secret Values Need to Change

The existing METABASE_DB_CONNECTION_URI secrets are already in the correct Unix socket format. The workflow was updated to use them correctly, but the secret values themselves don't need to change.

Current Secret Format (Already Correct)

METABASE_DB_CONNECTION_URI

The connection URI format is already correct and works with the updated workflow:

Staging:

postgresql://metabase_user:pDOiV4mWp0UmC8cmCblyASd7BvQbJY4L@/metabase?host=/cloudsql/barto-dev:us-central1:metabase-db-staging

Production:

postgresql://metabase_user:iNE3VNQz1qYH9OLi64XQwG5K9CVM%2FfJv@/metabase?host=/cloudsql/barto-prod:us-central1:metabase-db-production

What Changed:

  • Before: Workflow extracted the Unix socket path but set MB_DB_HOST=127.0.0.1 (TCP)
  • After: Workflow extracts the Unix socket path and sets MB_DB_HOST=/cloudsql/... (Unix socket)

The secret format was already correct - we just needed to use it properly!

Secrets That Need Verification

GitHub Secrets (Actions)

Verify these secrets are set correctly in GitHub Actions:

Staging Environment

  • METABASE_DB_CONNECTION_URI - Should be: postgresql://metabase_user:pDOiV4mWp0UmC8cmCblyASd7BvQbJY4L@/metabase?host=/cloudsql/barto-dev:us-central1:metabase-db-staging
  • ⚠️ METABASE_SITE_URL - Update after first successful deployment (workflow will show the URL)
  • METABASE_EMBED_SECRET_KEY - Should match backend secret
  • MB_ANON_TRACKING_ENABLED - Optional (defaults to false)
  • MB_ENABLE_PUBLIC_SHARING - Optional (defaults to false)

Production Environment

  • METABASE_DB_CONNECTION_URI - Should be: postgresql://metabase_user:iNE3VNQz1qYH9OLi64XQwG5K9CVM%2FfJv@/metabase?host=/cloudsql/barto-prod:us-central1:metabase-db-production
  • ⚠️ METABASE_SITE_URL - Update after first successful deployment (workflow will show the URL)
  • METABASE_EMBED_SECRET_KEY - Should match backend secret
  • MB_ANON_TRACKING_ENABLED - Optional (defaults to false)
  • MB_ENABLE_PUBLIC_SHARING - Optional (defaults to false)

Doppler Secrets

Doppler is NOT used for Metabase deployment - all secrets are in GitHub Actions.

However, if you have Metabase secrets in Doppler for reference, they should match the GitHub secrets format.

How to Verify/Update Secrets

1. Verify METABASE_DB_CONNECTION_URI Format

The connection URI must be in Unix socket format:

postgresql://USER:PASSWORD@/DATABASE?host=/cloudsql/PROJECT:REGION:INSTANCE

Key points:

  • No host/port before the / (empty host means Unix socket)
  • host=/cloudsql/... query parameter specifies the Unix socket path
  • Password must be URL-encoded if it contains special characters

Example check:

# The URI should contain:
# - Empty host (no host:port before /database)
# - host=/cloudsql/... in query string
echo "$METABASE_DB_CONNECTION_URI" | grep -q "?host=/cloudsql/"

2. Update METABASE_SITE_URL (After Deployment)

After the first successful deployment, update METABASE_SITE_URL with the actual Cloud Run URL:

Get the URL:

# Staging
gcloud run services describe flowpos-metabase-staging \
  --region=us-central1 \
  --project=barto-dev \
  --format="value(status.url)"

# Production
gcloud run services describe flowpos-metabase-production \
  --region=us-central1 \
  --project=barto-prod \
  --format="value(status.url)"

Update in GitHub:

  1. Go to: SettingsSecrets and variablesActions
  2. Select the environment (staging or production)
  3. Find METABASE_SITE_URL
  4. Click Update and paste the URL from above

Or use the workflow output: The deployment workflow will show the URL:

✅ Metabase deployed successfully!
🌐 Service URL: https://flowpos-metabase-staging-xxxxx.a.run.app
📝 Next step: Update METABASE_SITE_URL in GitHub Secrets

Summary

No secret values need to be changed - the existing format is correct
The workflow now uses Unix sockets - it extracts the path from the URI
⚠️ Only METABASE_SITE_URL needs to be updated after first deployment

The Unix socket configuration works with your existing secrets - no changes needed!

Troubleshooting

If deployment fails with connection errors:

  1. Verify METABASE_DB_CONNECTION_URI format:

    # Should contain: ?host=/cloudsql/
    echo "$METABASE_DB_CONNECTION_URI" | grep "?host=/cloudsql/"

  2. Check password encoding:

    • Special characters (like /) must be URL-encoded (%2F)
    • Production password iNE3VNQz1qYH9OLi64XQwG5K9CVM/fJv becomes iNE3VNQz1qYH9OLi64XQwG5K9CVM%2FfJv

  3. Verify Cloud SQL instance names:

    • Staging: barto-dev:us-central1:metabase-db-staging
    • Production: barto-prod:us-central1:metabase-db-production