Variables Registry

The Variables Registry lets you store and manage key-value configuration variables that modules and workflows can read at runtime. Access it in the portal at Operations → Variables Registry, or via the CLI with cs config and the PowerShell module with Get-CSConfig / Set-CSConfig.

On-premises — Docker Compose .env file

The Docker Compose stack reads configuration from /opt/cloudsmith/.env inside the cloudsmith-docker VM. The installer generates this file during setup. You can edit it and run docker compose -f /opt/cloudsmith/docker-compose.yml up -d to apply changes.

# SSH into the CloudSmith VM
ssh cloudsmith@192.168.100.10

# Edit the .env file
sudo nano /opt/cloudsmith/.env

# Apply changes
sudo docker compose -f /opt/cloudsmith/docker-compose.yml up -d

Required variables

Variable Description Example
CLOUDSMITH_DB_CONNECTION_STRING PostgreSQL connection string for the API. Uses the bundled cloudsmith-postgres container in the default Compose configuration. Host=cloudsmith-postgres;Database=cloudsmith;Username=cloudsmith;Password=<pg-password>
CLOUDSMITH_MASTER_KEY 32-byte AES master key used to encrypt sensitive values in the database (IdP secrets, Relay enrollment tokens). On-premises: set in .env. PaaS: stored as a Key Vault secret and injected via ACA secret reference — see PaaS — Key Vault secret references. 32-character random hex string
CLOUDSMITH_DEPLOYMENT_MODE Deployment mode identifier. Must be OnPremises or PaaS. Controls which services are enabled at startup. OnPremises
CLOUDSMITH_PUBLIC_URL The public HTTPS URL where the portal is accessible. Used for OIDC redirect URIs and CORS policy. https://cloudsmith.contoso.com

Optional variables

Variable Default Description
CLOUDSMITH_LOG_LEVEL Information Minimum log level: Trace, Debug, Information, Warning, Error
CLOUDSMITH_JWT_EXPIRY_MINUTES 15 Access token lifetime in minutes
CLOUDSMITH_REFRESH_TOKEN_DAYS 7 Refresh token lifetime in days
CLOUDSMITH_MAX_RELAY_HEARTBEAT_INTERVAL_SECONDS 60 Relays that miss heartbeats longer than this value are marked as Disconnected
CLOUDSMITH_UPDATE_CHECK_ENABLED true Whether the platform checks ghcr.io for new versions. Set to false for air-gapped environments
CLOUDSMITH_UPDATE_CHECK_INTERVAL_HOURS 24 How often to check for updates
CLOUDSMITH_KEY_VAULT_NAME "" Azure Key Vault name used by the API for secret storage. On-premises: leave empty (the API uses the database for secrets). PaaS: set automatically by the Bicep deployment — do not override unless you are using a bring-your-own Key Vault.
CLOUDSMITH_IMAGE_TAG latest Container image tag pinned for in-place updates. The platform self-update flow reads this value to know the current running version. Set to a specific SHA or release tag in stage/production environments.

Relay environment variables

The CloudSmith Relay runs as a Docker container on a Linux host inside the cluster network. Configure it with the following environment variables when deploying the cloudsmith-relay container.

Variable Required Default Description Example
RELAY_PAAS_URL Yes HTTPS URL of the CloudSmith API. The relay connects here to enroll and maintain its WebSocket connection. https://cloudsmith.contoso.com
RELAY_ENROLLMENT_TOKEN Yes (first start only) One-time enrollment token generated when you register a site in the portal. Expires 24 hours after generation. Consumed on first successful enrollment — not required on subsequent starts. enroll_01hz...
RELAY_AGENT_ENROLLMENT_TOKEN Yes Shared secret that agents present when enrolling with this relay. You choose this value. Set the same value as AGENT_ENROLLMENT_TOKEN on every agent that connects to this relay. (strong random hex string)
RELAY_DISPLAY_NAME No container hostname Human-readable relay name shown in the portal under Platform Management → Sites. relay-prod-hci-01
RELAY_CLUSTER_ID No default Cluster identifier associated with this relay in the portal. cluster-prod-01
RELAY_LISTEN_PORT No 8443 TCP port the relay listens on for incoming agent connections. 8443
RELAY_IDENTITY_DIR No /var/lib/cloudsmith-relay/identity Directory where the relay persists its enrolled identity. Mount a named Docker volume at this path so identity survives restarts. /var/lib/cloudsmith-relay/identity

The relay persists its enrolled identity in /var/lib/cloudsmith-relay/identity. Mount a named Docker volume at this path so the identity survives container restarts:

docker run -d --name cloudsmith-relay --restart=always \
  -e RELAY_PAAS_URL=https://<your-paas-api-url> \
  -e RELAY_ENROLLMENT_TOKEN=<one-time-token> \
  -e RELAY_AGENT_ENROLLMENT_TOKEN=<your-agent-secret> \
  -e RELAY_DISPLAY_NAME=relay-prod-hci-01 \
  -p 8443:8443 \
  -v cloudsmith-relay-identity:/var/lib/cloudsmith-relay/identity \
  ghcr.io/cloudsmith-cloud/cloudsmith-relay:latest

See Install the CloudSmith Relay for the full deployment procedure.

Agent environment variables

The CloudSmith Agent is a Windows Service. It reads configuration from Windows Service environment variables stored in the registry under HKLM\SYSTEM\CurrentControlSet\Services\CloudSmithAgent\Environment. Set these registry values before starting the service.

$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\CloudSmithAgent\Environment'
New-Item -Path $regPath -Force | Out-Null
New-ItemProperty -Path $regPath -Name 'AGENT_RELAY_URL'        -Value 'http://<relay-lan-ip>:8443' -PropertyType String -Force
New-ItemProperty -Path $regPath -Name 'AGENT_ENROLLMENT_TOKEN' -Value '<your-agent-secret>'        -PropertyType String -Force

Required variables

Variable Description Example
AGENT_RELAY_URL URL of the relay LAN endpoint. Format: http://<relay-lan-ip>:8443. No TLS on this path. http://192.168.1.10:8443
AGENT_ENROLLMENT_TOKEN The RELAY_AGENT_ENROLLMENT_TOKEN value you set on the relay. Consumed on first successful enrollment; agent persists its own identity thereafter. (strong random hex string)

Optional variables

Variable Default Description
AGENT_SCAN_INTERVAL_SECONDS 300 How often the agent pushes full hardware and cluster inventory (seconds).
AGENT_CLUSTER_ID default Cluster identifier this host belongs to, as shown in the portal.
AGENT_IDENTITY_PATH C:\ProgramData\CloudSmith\agent-identity.json Path where the agent persists its enrolled identity (agentId + agentSecret).
AGENT_INSTALL_DIRECTORY C:\CloudSmith Base directory for agent executables and working files.

See Install the CloudSmith Agent for the full installation procedure.

OpenTelemetry / Azure Monitor variables (on-premises)

These variables are optional on-premises. Configure them when you want to forward telemetry to Azure Monitor or a self-hosted OpenTelemetry Collector.

Variable Description
AZURE_MONITOR_WORKSPACE_ENDPOINT Azure Monitor workspace ingestion endpoint (e.g., https://<dce-name>.<region>.ingest.monitor.azure.com)
AZURE_MONITOR_DCE_ENDPOINT Azure Monitor Data Collection Endpoint URL
OTEL_EXPORTER_OTLP_ENDPOINT OTLP gRPC endpoint for a self-hosted collector (e.g., http://otel-collector:4317)
OTEL_SERVICE_NAME Service name reported in telemetry (default: cloudsmith-api)

On-premises — appsettings.json

appsettings.json is embedded in the cloudsmith-api container image at /app/appsettings.json. In most deployments, all configuration is supplied via environment variables (which take precedence over appsettings.json). Override individual settings by mounting a custom appsettings.Local.json volume.

{
  "CloudSmith": {
    "DeploymentMode": "OnPremises",
    "PublicUrl": "",
    "MasterKey": "",
    "UpdateCheckEnabled": true,
    "UpdateCheckIntervalHours": 24,
    "MaxRelayHeartbeatIntervalSeconds": 60
  },
  "ConnectionStrings": {
    "DefaultConnection": ""
  },
  "Jwt": {
    "ExpiryMinutes": 15,
    "RefreshTokenDays": 7
  },
  "Serilog": {
    "MinimumLevel": {
      "Default": "Information",
      "Override": {
        "Microsoft": "Warning",
        "System": "Warning"
      }
    }
  },
  "OpenTelemetry": {
    "Enabled": true,
    "ServiceName": "cloudsmith-api",
    "AzureMonitorWorkspaceEndpoint": "",
    "AzureMonitorDceEndpoint": "",
    "OtlpExporterEndpoint": ""
  }
}

To apply a custom override:

# In docker-compose.yml
services:
  cloudsmith-api:
    volumes:
      - /opt/cloudsmith/appsettings.Local.json:/app/appsettings.Local.json:ro

Azure PaaS — Azure Container Apps environment variables

In the PaaS model, all configuration is supplied as ACA environment variables. Variables marked as secrets in the Bicep template are stored in Azure Key Vault and injected into the container via ACA secret references — they never appear in plaintext in the ACA environment variable list.

Required ACA environment variables

Variable Description
CLOUDSMITH_DB_CONNECTION_STRING PostgreSQL connection string. In the default PaaS deployment, the API connects using the Managed Identity AAD token — no password in the connection string.
CLOUDSMITH_MASTER_KEY ACA secret reference to the Key Vault secret cloudsmith-master-key. See Key Vault secret references.
CLOUDSMITH_DEPLOYMENT_MODE Must be PaaS
CLOUDSMITH_PUBLIC_URL Portal Azure Container App FQDN
CLOUDSMITH_KEY_VAULT_NAME Azure Key Vault name. Set automatically by the Bicep deployment.

Optional ACA environment variables

Variable Default Description
CLOUDSMITH_LOG_LEVEL Information Minimum log level
CLOUDSMITH_JWT_EXPIRY_MINUTES 15 Access token lifetime
CLOUDSMITH_REFRESH_TOKEN_DAYS 7 Refresh token lifetime
AZURE_MONITOR_WORKSPACE_ENDPOINT "" Azure Monitor workspace ingestion endpoint
AZURE_MONITOR_DCE_ENDPOINT "" Azure Monitor Data Collection Endpoint URL
AZURE_CLIENT_ID Injected by ACA Client ID of the User-assigned Managed Identity. Injected automatically by ACA when a UAMI is attached to the container app.

PaaS — Key Vault secret references

The master encryption key is a sensitive value that must never appear in plaintext in a container app environment variable list or in version control. In the PaaS deployment, CloudSmith stores it as a Key Vault secret and references it via the ACA secret reference pattern.

How it works

  1. During azd up, the Bicep template creates the cloudsmith-master-key secret in Key Vault.
  2. The API container app is configured with an ACA secret that references the Key Vault secret URI.
  3. ACA resolves the secret value at startup and injects it as the CLOUDSMITH_MASTER_KEY environment variable inside the container.
  4. The Managed Identity attached to the API container app has the Key Vault Secrets User role assignment on the Key Vault, which grants read access to the secret.

The secret value is never visible in the Azure portal’s container app environment variable list — it appears as (hidden).

Rotating the master key

# Set a new master key value in Key Vault
$newKey = [System.Convert]::ToHexString([System.Security.Cryptography.RandomNumberGenerator]::GetBytes(32))
az keyvault secret set `
    --vault-name 'kvcloudsmithprodcus001...' `
    --name 'cloudsmith-master-key' `
    --value $newKey

# Force a new ACA revision to pick up the updated secret
az containerapp update `
    --name 'ca-cloudsmith-api-prod-cus-001' `
    --resource-group 'rg-cloudsmith-prod-cus-001'

Warning: Rotating the master key without first re-encrypting all secrets stored in the database will make those secrets unreadable. Key rotation requires a database re-encryption step. This procedure is documented in the troubleshooting guide.

azd environment parameters

When deploying with the Azure Developer CLI, configuration is supplied as azd environment variables rather than ACA environment variables directly. The Bicep template maps azd parameters to ACA and Key Vault at deploy time.

See Azure PaaS install — step 4 for the full azd env set reference.

Key parameters:

azd variable Maps to
AZURE_LOCATION Resource group and all resources
CLOUDSMITH_ENTRA_TENANT_ID entraTenantId Bicep parameter
CLOUDSMITH_API_CLIENT_ID entraClientId Bicep parameter
CLOUDSMITH_PORTAL_CLIENT_ID entraPortalClientId Bicep parameter
CLOUDSMITH_ACA_PLAN ACA consumption vs. workload-profiles plan
CLOUDSMITH_PG_SKU PostgreSQL SKU
CLOUDSMITH_PG_HA PostgreSQL HA mode
CLOUDSMITH_IMAGE_TAG Container image tag for cloudsmith-api and cloudsmith-portal