Skip to main content
Version: v1.1

Environment Variables Reference

Overview

AosCloud microservices are configured through environment variables that control secrets management, database connections, messaging, and inter-service communication. In AWS deployments, these variables are injected via the Helm chart rather than being read directly from .env files — the .env files in the source repository define the development-mode defaults and variable names, while the Helm values.yaml maps them to AWS Secrets Manager paths at deployment time.

This page documents every environment variable used by each microservice, its purpose, valid format, and injection source. It does not include actual secret values — only parameter names and format specifications.

Prerequisites

Before reading this page, review:

Injection Architecture

All AosCloud services use a common secrets resolution pattern:

  1. SecretManagerType determines which backend retrieves secrets at runtime
  2. VaultAddr* variables specify the secret path prefix where configuration and credentials are stored
  3. At startup, each service reads its configuration from the path pointed to by these variables

Injection Sources

SourceDescriptionExample
Helm values (env block)Set directly in values.yaml per-service env arraySecretManagerType, VaultAddrCfg, PROJECT_VERSION
AWS Secrets ManagerRetrieved at runtime by the application using the VaultAddr* pathDatabase passwords, TLS certificates, API keys
Kubernetes Secret (envFromSecret)Injected from a K8s Secret created by the RabbitMQ operator or HelmRMQ_HOSTNAME, RMQ_USERNAME, RMQ_PASSWORD
Static configurationHardcoded in Helm templates or derived from global valuesWS_EXTERNAL_HOSTNAME, WS_EXTERNAL_PORT

AWS Secret Path Naming Convention

In AWS deployments, secret paths follow the pattern ${AWS_BASE_NAME}-<suffix>:

Path SuffixContentUsed By
appcfgApplication configuration (endpoints, feature flags)API, Auth, WebSocket API, Message Handler, Unit Message Handler
appsecApplication secrets (API keys, tokens)API, Auth, WebSocket API, Message Handler, Unit Message Handler
dbcfgDatabase configuration (hostnames, ports)API, Auth, Message Handler, Unit Message Handler, Data Migration
dbsecDatabase secrets (credentials)API, Auth, Message Handler, Unit Message Handler, Data Migration
data-servicesData services configurationAlert Handler, Unit Monitoring
mhcfgMessage handler configurationMessage Handler, Unit Message Handler, Service Discovery
mhsecMessage handler secretsMessage Handler, Unit Message Handler, Service Discovery
sdcfgService discovery configurationService Discovery
sdsecService discovery secretsService Discovery
taskcfgTask/queue management configurationQueue Management
tasksecTask/queue management secretsQueue Management
ingressIngress/TLS certificates and keysIstio gateway secrets job
landingLanding page configurationLanding Backend
baseBase infrastructure secrets (PostgreSQL admin, InfluxDB)PostgreSQL init, InfluxDB

Environment Variables by Microservice

API Service

The API service provides the main REST interface for AosCloud operations.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
VaultAddrCfgPath to application configuration secrets${AWS_BASE_NAME}-appcfgHelm env block
VaultAddrSecPath to application credential secrets${AWS_BASE_NAME}-appsecHelm env block
VaultAddrDbCfgPath to database configuration${AWS_BASE_NAME}-dbcfgHelm env block
VaultAddrDbSecPath to database credentials${AWS_BASE_NAME}-dbsecHelm env block
PROJECT_VERSIONDeployed application version stringSemantic versionCurrent releaseHelm env block
DEVELOPMENT_MODEEnables development-only featuresTrue / FalseNot set in productionDev .env only

Service account: ${AWS_BASE_NAME}-app

Auth Service

The Auth service handles authentication, authorization, and user management.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
VaultAddrCfgPath to application configuration secrets${AWS_BASE_NAME}-appcfgHelm env block
VaultAddrSecPath to application credential secrets${AWS_BASE_NAME}-appsecHelm env block
VaultAddrDbCfgPath to database configuration${AWS_BASE_NAME}-dbcfgHelm env block
VaultAddrDbSecPath to database credentials${AWS_BASE_NAME}-dbsecHelm env block
PROJECT_VERSIONDeployed application version stringSemantic versionCurrent releaseHelm env block
POSTGRES_HOSTPostgreSQL hostname (dev override)Hostname stringDev .env only

Service account: ${AWS_BASE_NAME}-app

Backend (App) Service

The Backend service handles core business logic, Django-based management, and background task processing.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
VaultAddrCfgPath to application configuration secrets${AWS_BASE_NAME}-appcfgHelm env block
VaultAddrSecPath to application credential secrets${AWS_BASE_NAME}-appsecHelm env block
VaultAddrDbCfgPath to database configuration${AWS_BASE_NAME}-dbcfgHelm env block
VaultAddrDbSecPath to database credentials${AWS_BASE_NAME}-dbsecHelm env block
PROJECT_VERSIONDeployed application version stringSemantic versionCurrent releaseHelm env block

The Backend also has a task runner variant (bg-tasks) and scheduler variant (bg-scheduler) that share the same environment variables but run different commands.

Service account: ${AWS_BASE_NAME}-app

Alert Handler

The Alert Handler processes alert events and stores them in DocumentDB (MongoDB-compatible).

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
VaultAddrCfgPath to data services configuration${AWS_BASE_NAME}-data-servicesHelm env block
SomeSaNameService account name referenceStringService account nameHelm env block
PROJECT_VERSIONDeployed application version stringSemantic versionCurrent releaseHelm env block

Service account: ${AWS_BASE_NAME}-data-services

Message Handler

The Message Handler processes messages between the cloud platform and Units, managing software update distribution and status tracking.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
VaultAddrMHCfgPath to message handler configuration${AWS_BASE_NAME}-mhcfgHelm env block
VaultAddrMHSecPath to message handler secrets${AWS_BASE_NAME}-mhsecHelm env block
VaultAddrCfgPath to application configuration${AWS_BASE_NAME}-appcfgHelm env block
VaultAddrSecPath to application secrets${AWS_BASE_NAME}-appsecHelm env block
VaultAddrDbCfgPath to database configuration${AWS_BASE_NAME}-dbcfgHelm env block
VaultAddrDbSecPath to database credentials${AWS_BASE_NAME}-dbsecHelm env block

Service account: ${AWS_BASE_NAME}-task

Unit Message Handler

The Unit Message Handler processes messages directly from connected Units via RabbitMQ, handling Unit-initiated communications.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
WS_EXTERNAL_HOSTNAMEExternal WebSocket endpoint hostnamews.<domain>ws.{{ .Values.global.domainName }}Helm env block (static)
WS_EXTERNAL_PORTExternal WebSocket endpoint portPort number string443Helm env block (static)
VaultAddrCfgPath to application configuration${AWS_BASE_NAME}-appcfgHelm env block
VaultAddrSecPath to application secrets${AWS_BASE_NAME}-appsecHelm env block
VaultAddrMHCfgPath to message handler configuration${AWS_BASE_NAME}-mhcfgHelm env block
VaultAddrMHSecPath to message handler secrets${AWS_BASE_NAME}-mhsecHelm env block
VaultAddrDbCfgPath to database configuration${AWS_BASE_NAME}-dbcfgHelm env block
VaultAddrDbSecPath to database credentials${AWS_BASE_NAME}-dbsecHelm env block
PROJECT_VERSIONDeployed application version stringSemantic versionCurrent releaseHelm env block
RMQ_HOSTNAMERabbitMQ server hostnameHostname stringKubernetes Secret (envFromSecret)
RMQ_PORTRabbitMQ server portPort number stringKubernetes Secret (envFromSecret)
RMQ_USERNAMERabbitMQ authentication usernameStringKubernetes Secret (envFromSecret)
RMQ_PASSWORDRabbitMQ authentication passwordStringKubernetes Secret (envFromSecret)

Service account: ${AWS_BASE_NAME}-task

Unit Monitoring

The Unit Monitoring service collects and stores telemetry data from connected Units, writing to InfluxDB.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
VaultAddrCfgPath to data services configuration${AWS_BASE_NAME}-data-servicesHelm env block
PROJECT_VERSIONDeployed application version stringSemantic versionCurrent releaseHelm env block

Service account: ${AWS_BASE_NAME}-data-services

WebSocket API

The WebSocket API manages persistent WebSocket connections from Units, providing real-time bidirectional communication.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
WS_EXTERNAL_HOSTNAMEExternal WebSocket endpoint hostnamews.<domain>ws.{{ .Values.global.domainName }}Helm env block (static)
WS_EXTERNAL_PORTExternal WebSocket endpoint portPort number string443Helm env block (static)
VaultAddrCfgPath to application configuration${AWS_BASE_NAME}-appcfgHelm env block
VaultAddrSecPath to application secrets${AWS_BASE_NAME}-appsecHelm env block
PROJECT_VERSIONDeployed application version stringSemantic versionCurrent releaseHelm env block
RMQ_HOSTNAMERabbitMQ server hostnameHostname stringKubernetes Secret (envFromSecret)
RMQ_PORTRabbitMQ server portPort number stringKubernetes Secret (envFromSecret)
RMQ_USERNAMERabbitMQ authentication usernameStringKubernetes Secret (envFromSecret)
RMQ_PASSWORDRabbitMQ authentication passwordStringKubernetes Secret (envFromSecret)

Service account: ${AWS_BASE_NAME}-app

Service Discovery

The Service Discovery service handles Unit registration and connection assignment within the AosCloud platform.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
WS_EXTERNAL_HOSTNAMEExternal WebSocket endpoint hostnamews.<domain>ws.{{ .Values.global.domainName }}Helm env block (static)
WS_EXTERNAL_PORTExternal WebSocket endpoint portPort number string443Helm env block (static)
VaultAddrCfgPath to service discovery configuration${AWS_BASE_NAME}-sdcfgHelm env block
VaultAddrSecPath to service discovery secrets${AWS_BASE_NAME}-sdsecHelm env block
VaultAddrNosqlCfgPath to NoSQL (DocumentDB) configuration${AWS_BASE_NAME}-mhcfgHelm env block
VaultAddrNosqlSecPath to NoSQL (DocumentDB) secrets${AWS_BASE_NAME}-mhsecHelm env block
PROJECT_VERSIONDeployed application version stringSemantic versionCurrent releaseHelm env block

Service account: ${AWS_BASE_NAME}-sd

Queue Management (Units Queues Management)

The Queue Management service manages RabbitMQ queues for Unit communication, handling queue lifecycle and monitoring.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
VaultAddrCfgPath to queue management configuration${AWS_BASE_NAME}-taskcfgHelm env block
VaultAddrSecPath to queue management secrets${AWS_BASE_NAME}-tasksecHelm env block
PROJECT_VERSIONDeployed application version stringSemantic versionCurrent releaseHelm env block

Service account: Custom (${AWS_BASE_NAME}-qm role via IRSA annotation)

Landing Backend

The Landing service provides the public-facing marketing/signup pages and AWS SaaS Marketplace integration.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
VaultAddrLandingPath to landing page configuration${AWS_BASE_NAME}-landingHelm env block
AWS_SAAS_ARNIAM role ARN for SaaS operationsARN stringHelm env block
AWS_SAAS_REGIONAWS region for SaaS integrationRegion string (e.g., us-east-1)Helm env block
AWS_SAAS_METERING_ARNSQS ARN for metering eventsARN stringHelm env block
AWS_SAAS_ENTITLEMENT_ARNSQS ARN for entitlement eventsARN stringHelm env block

Service account: ${AWS_BASE_NAME}-base

CMS (Content Management System)

The CMS manages landing page content via a Strapi-based headless CMS.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManagerAWSSecretManagerHelm env block
DATABASE_FILENAMEPath to SQLite database fileFile path/opt/app/database/cms.dbHelm env block
TMPDIRTemporary directory pathFile path/tmpHelm env block
ADMIN_JWT_SECRETJWT secret for admin authenticationJWT token stringHelm env block
API_TOKEN_SALTSalt for API token generationRandom stringHelm env block
JWT_SECRETJWT secret for general authenticationJWT token stringHelm env block
NODE_ENVNode.js environment modeproduction / developmentproductionHelm env block
APP_KEYSApplication encryption keysComma-separated stringsHelm env block
SMTP_SERVERSMTP server hostname (from secrets)Secret path string${AWS_BASE_NAME}-appcfg/SMTPMailServerHostnameAWS Secrets Manager
SMTP_PORTSMTP server port (from secrets)Secret path string${AWS_BASE_NAME}-appcfg/SMTPMailServerPortAWS Secrets Manager
SMTP_USERSMTP login (from secrets)Secret path string${AWS_BASE_NAME}-appsec/SMTPMailServerLoginAWS Secrets Manager
SMTP_PASSSMTP password (from secrets)Secret path string${AWS_BASE_NAME}-appsec/SMTPMailServerPasswordAWS Secrets Manager

Service account: ${AWS_BASE_NAME}-base

Data Migration

The Data Migration job runs database schema migrations (Alembic) during upgrades.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManager or HashiCorpAWSSecretManagerHelm env block
VaultAddrDbSecPath to database credentials${AWS_BASE_NAME}-dbsecHelm env block
VaultAddrDbCfgPath to database configuration${AWS_BASE_NAME}-dbcfgHelm env block
POSTGRES_HOSTPostgreSQL hostname (dev override)Hostname stringDev .env only
PYTHONPATHPython module search pathColon-separated paths../cloud-common:../data-layerDev .env only

Service account: ${AWS_BASE_NAME}-app

Nginx (Frontend Proxy)

The Nginx service serves the frontend web application and proxies API requests.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManagerAWSSecretManagerHelm env block
PROJECT_VERSIONDeployed application version stringSemantic versionCurrent releaseHelm env block

Service account: default

RMQ Metrics

The RMQ Metrics service exports RabbitMQ queue metrics to Prometheus.

VariablePurposeFormatDefaultInjection Source
SecretManagerTypeSecrets backend selectorAWSSecretManagerAWSSecretManagerHelm env block
REDIS_CONNRedis connection string for metrics cachingConnection stringKubernetes Secret (from ${AWS_BASE_NAME}-base/RmqMetricsRedisConnString)

Service account: ${AWS_BASE_NAME}-base

Infrastructure Services Configuration

These environment variables configure infrastructure-level services that are not AosCloud microservices but support the platform.

RabbitMQ (Units Queues)

VariablePurposeFormatDefault
RABBITMQ_CARS_PORTAMQPS connection portPort number5671
RABBITMQ_CARS_DEFAULT_VHOSTDefault virtual hostPath string/
RABBITMQ_CARS_CLOUD_EXCHANGE_NAMECloud-side exchange nameStringaos_cloud
RABBITMQ_CARS_UNITS_EXCHANGE_NAMEUnits-side exchange nameStringaos_units
RABBITMQ_CARS_CLOUD_QUEUE_NAMECloud message queue nameStringcloud_queue
RABBITMQ_CARS_QUEUES_LIMITMaximum queue countInteger30000
RABBITMQ_CARS_QUEUES_CACHEQueue cache sizeInteger100
RABBITMQ_INITIAL_SERVERS_AMOUNTInitial RabbitMQ cluster nodesInteger1
RABBITMQ_CARS_ADDITIONAL_SERVERAdditional server flag0 or 10
RABBITMQ_QUEUES_TTL_MULTIPLIERTTL multiplier for queue expiryFloat1.2

Note: In AWS deployments, RabbitMQ is deployed via the rabbitmq-cluster-operator Helm chart. Connection credentials are provided through a Kubernetes Secret generated by the operator, injected into services via envFromSecret.

PostgreSQL

VariablePurposeFormatDefault
POSTGRES_DB_NAMEApplication database nameString
POSTGRES_DB_SCHEMAApplication database schemaString
POSTGRES_CLI_SSL_CAPath to CA certificate for SSLFile path
POSTGRES_CLI_SSL_CRTPath to client certificateFile path
POSTGRES_CLI_SSL_KEYPath to client keyFile path
POSTGRES_CONFIG_MAX_CONNECTIONSMaximum connectionsInteger300
POSTGRES_CONFIG_SHARED_BUFFERSShared buffer memorySize string128MB
POSTGRES_CONFIG_EFFECTIVE_CACHE_SIZEEffective cache sizeSize string384MB
POSTGRES_CONFIG_WORK_MEMPer-operation work memorySize string1310kB
POSTGRES_CONFIG_MAX_WAL_SIZEMaximum WAL sizeSize string2GB

Note: In AWS deployments, PostgreSQL is provided by Aurora PostgreSQL. The connection parameters (host, port, credentials) are stored in AWS Secrets Manager at the ${AWS_BASE_NAME}-dbcfg and ${AWS_BASE_NAME}-dbsec paths. Performance tuning parameters are managed by the Aurora configuration rather than environment variables.

DocumentDB (MongoDB-Compatible)

VariablePurposeFormatDefault
MONGO_INITDB_DATABASEInitial database nameStringaos-alert

Note: In AWS deployments, DocumentDB connection details are stored in AWS Secrets Manager at the ${AWS_BASE_NAME}-mhcfg and ${AWS_BASE_NAME}-mhsec paths. DocumentDB endpoints are also injected through the Helm aws.docdb.endpoints array.

InfluxDB

VariablePurposeFormatDefault
INFLUXDB_HOSTInfluxDB server hostnameHostnameinfluxdb (K8s service)
INFLUXDB_PORTInfluxDB HTTP portPort number8086
INFLUXDB_DBDatabase nameStringinflux
DOCKER_INFLUXDB_REPORTING_DISABLEDDisable usage reportingtrue / falsetrue
DOCKER_INFLUXDB_DATA_QUERY_LOG_ENABLEDEnable query loggingtrue / falsefalse
DOCKER_INFLUXDB_HTTP_LOG_ENABLEDEnable HTTP access loggingtrue / falsefalse
DOCKER_INFLUXDB_INIT_ORGInitial organizationStringcloud
DOCKER_INFLUXDB_INIT_RETENTIONData retention periodDuration string7d
DOCKER_INFLUXDB_INIT_BUCKETInitial bucket nameStringunit-monitoring

Note: In AWS deployments, InfluxDB runs within EKS with persistence via EFS. Admin credentials are stored in AWS Secrets Manager at ${AWS_BASE_NAME}-base (keys: InfluxdbAdminPassword, InfluxdbAdminToken) and mounted via the CSI secrets driver.

Certificates and Keys

VariablePurposeFormat
ROOT_CARoot CA certificate filenamePEM filename
SECONDARY_CA_CERTIFICATESecondary CA certificatePEM filename
OEM_CA_CERTIFICATEOEM CA certificatePEM filename
OEM_CA_KEYOEM CA private keyPEM filename
VEHICLE_CA_CERTIFICATEVehicle CA certificatePEM filename
VEHICLE_CA_KEYVehicle CA private keyPEM filename
SP_CA_CERTIFICATEService Provider CA certificatePEM filename
SP_CA_KEYService Provider CA private keyPEM filename
INTERNAL_CA_CERTInternal CA certificatePEM filename
INTERNAL_CA_CERT_FULLCHAINInternal CA full chainPEM filename
RABBIT_CARS_KEYRabbitMQ client private keyPEM filename
RABBIT_CARS_CERTIFICATERabbitMQ client certificatePEM filename
MESSAGE_HANDLER_KEYMessage handler TLS keyPEM filename
MESSAGE_HANDLER_CERTIFICATEMessage handler TLS certificate chainPEM filename
CONTAINER_KEYContainer signing keyPEM filename
CONTAINER_CERTIFICATEContainer signing certificatePEM filename

Note: In AWS deployments, certificates are stored in AWS Secrets Manager and mounted into pods via the CSI Secrets Store driver (secrets-store.csi.k8s.io). The ingress TLS certificates (for both the main domain and the WebSocket subdomain ws.<domain>) are stored at the ${AWS_BASE_NAME}-ingress secret path and injected by the Istio secrets job.

Inter-Service Dependencies

The following diagram shows how environment variables create dependencies between services:

Key Dependencies

Dependent ServiceReferencesThrough VariablePurpose
Service DiscoveryMessage Handler secretsVaultAddrNosqlCfg / VaultAddrNosqlSecAccess DocumentDB for Unit registration data
Unit Message HandlerMessage Handler configVaultAddrMHCfg / VaultAddrMHSecShare messaging configuration with MH
WebSocket API, Unit Message HandlerRabbitMQRMQ_HOSTNAME, RMQ_PORTConnect to RabbitMQ for Unit message routing
WebSocket API, Unit Message Handler, Service DiscoveryExternal WebSocket endpointWS_EXTERNAL_HOSTNAMEInform Units where to establish WebSocket connections
All servicesAWS Secrets ManagerSecretManagerType=AWSSecretManagerRuntime secret resolution from AWS

Common Variable Patterns

SecretManagerType

Every AosCloud microservice includes this variable. It determines the secrets resolution backend:

  • AWSSecretManager (production): Resolves VaultAddr* values as AWS Secrets Manager path names
  • HashiCorp (development): Resolves VaultAddr* values as HashiCorp Vault URLs

VaultAddr* Variables

These are not Vault URLs in AWS deployments — the name is a historical artifact. In AWS mode, they specify the AWS Secrets Manager secret name prefix where configuration is stored. The application uses the AWS SDK to read secret values from these paths at startup.

PROJECT_VERSION

Injected from the Helm global value global.aos.projectVersion, which is set to ${AOS_CLOUD_VERSION} during deployment. Used for version reporting in health checks and metrics.