diff --git a/ops/mainnet/mason/config.tf b/ops/mainnet/mason/config.tf
index 9f1acb13..3c53cc7e 100644
--- a/ops/mainnet/mason/config.tf
+++ b/ops/mainnet/mason/config.tf
@@ -293,6 +293,26 @@ locals {
       name  = "MARK_CONFIG_SSM_PARAMETER"
       value = "MASON_CONFIG_MAINNET"
     },
+    {
+      name  = "SHARD_MANIFEST"
+      value = local.shard_manifest
+    },
+    {
+      name  = "GCP_PROJECT_ID"
+      value = local.gcp_project_id
+    },
+    {
+      name  = "GOOGLE_CLOUD_PROJECT"
+      value = local.gcp_project_id
+    },
+    {
+      name  = "GCP_WORKLOAD_IDENTITY_PROVIDER"
+      value = local.gcp_workload_identity_provider
+    },
+    {
+      name  = "GCP_SERVICE_ACCOUNT_EMAIL"
+      value = local.gcp_service_account
+    },
     {
       name  = "REBALANCE_CONFIG_S3_BUCKET"
       value = local.rebalanceConfig.bucket
diff --git a/ops/mainnet/mason/main.tf b/ops/mainnet/mason/main.tf
index 52f69fce..2b4337eb 100644
--- a/ops/mainnet/mason/main.tf
+++ b/ops/mainnet/mason/main.tf
@@ -40,7 +40,8 @@ locals {
   mark_config_json = jsondecode(data.aws_ssm_parameter.mark_config_mainnet.value)
   mark_config = {
     dd_api_key              = local.mark_config_json.dd_api_key
-    web3_signer_private_key = local.mark_config_json.web3_signer_private_key
+    # Private keys are stored as Shamir shares in separate SSM parameters, not in main config
+    web3_signer_private_key = try(local.mark_config_json.web3_signer_private_key, "")
     signerAddress           = local.mark_config_json.signerAddress
     chains                  = local.mark_config_json.chains
     db_password             = local.mark_config_json.db_password