Google Cloud Secret Manager
Overview
Section titled “Overview”This guide walks you through configuring Google Cloud Secret Manager as a secret provider for your CrewAI Platform organization, using service account credentials. By the end, CrewAI Platform will be able to read secrets stored in your Google Cloud project and inject them as environment variable values at runtime.
Prerequisites
Section titled “Prerequisites”Step 1 — Create a Service Account
Section titled “Step 1 — Create a Service Account”A service account is the GCP-side identity CrewAI Platform will authenticate as.
In the IAM & Admin → Service Accounts console, click Create Service Account.
- Service account name:
crewai-secrets-reader - Service account ID: auto-fills from the name (e.g.
crewai-secrets-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com) - Description (optional): “Read-only access to Secret Manager for CrewAI Platform”
Click Create and Continue. Skip the optional grants on this screen — you’ll attach the role in Step 2. Click Done.
For full details, see the GCP documentation: Create service accounts.
Step 2 — Grant Secret Manager Access
Section titled “Step 2 — Grant Secret Manager Access”CrewAI Platform needs permission to list and read secrets in your project. Use one of two scopes — project-wide for simplicity, or per-secret for least privilege.
In the IAM console, click Grant Access and:
- New principals: the service account’s email from Step 1.
- Role: Secret Manager Secret Accessor (
roles/secretmanager.secretAccessor).
Click Save.
Or via gcloud:
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \ --member="serviceAccount:crewai-secrets-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor"Grant the role only on the specific secrets CrewAI Platform should access. Repeat for each secret:
gcloud secrets add-iam-policy-binding YOUR_SECRET_NAME \ --member="serviceAccount:crewai-secrets-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor" \ --project=YOUR_PROJECT_IDOr in the console: open each secret in Secret Manager, click Permissions in the right panel, and grant Secret Manager Secret Accessor to the service account.
Step 3 — Create a Service Account Key
Section titled “Step 3 — Create a Service Account Key”Open the service account from Step 1 in the IAM & Admin → Service Accounts console.
- Click the Keys tab.
- Click Add Key → Create new key.
- Key type: JSON.
- Click Create. The browser downloads a JSON file — keep it secure; it cannot be re-downloaded.
Or via gcloud:
gcloud iam service-accounts keys create ./crewai-secrets-reader.json \ --iam-account=crewai-secrets-reader@YOUR_PROJECT_ID.iam.gserviceaccount.comStep 4 — Add the Credential in CrewAI Platform
Section titled “Step 4 — Add the Credential in CrewAI Platform”In CrewAI Platform, navigate to Settings → Secret Provider Credentials and click Add Credential.
Fill the form:
- Name: A descriptive name, e.g.
gcp-prod. - Provider:
Google Cloud Secret Manager. - Project ID: Your GCP project ID (e.g.
my-crewai-prod). - Service Account JSON: Paste the entire contents of the JSON file you downloaded in Step 3.
- (Optional) Check Set as default credential for this provider. The default credential is used by environment variables that reference GCP secrets without specifying a credential explicitly.
Click Create.
Step 5 — Create at Least One Secret in GCP
Section titled “Step 5 — Create at Least One Secret in GCP”If you don’t already have secrets in GCP Secret Manager, create one now so you can verify the connection in Step 6.
In the Secret Manager console, click Create secret.
- Name: A unique name, e.g.
openai-api-key. - Secret value: Either paste a raw value or upload a file.
- Leave the rotation, replication, and other settings at their defaults unless you have a specific requirement.
Click Create secret.
Or via gcloud:
echo -n "sk-your-actual-key" | gcloud secrets create openai-api-key \ --data-file=- \ --project=YOUR_PROJECT_ID \ --replication-policy=automaticFor full details, see the GCP documentation: Create a secret.
Step 6 — Test the Connection
Section titled “Step 6 — Test the Connection”Back in CrewAI Platform, on the Secret Provider Credentials page, find the credential you just created and click Test Connection.
A success toast confirms that CrewAI Platform can authenticate to GCP and read secrets from your project.
If the test fails, check the most common causes:
| Symptom | Likely cause |
|---|---|
PERMISSION_DENIED on listing secrets | Service account is missing roles/secretmanager.secretAccessor, or you scoped it per-secret (list is not granted). Re-check Step 2. |
PERMISSION_DENIED on secretmanager.secrets.access | Same as above, but for a specific secret. Confirm the service account has accessor role on the secret in question. |
unauthorized_client / invalid_grant | The pasted Service Account JSON is invalid, expired, or for a deleted service account. Re-create the key (Step 3) and re-paste. |
Project ID does not match | The Project ID field in CrewAI Platform doesn’t match the project that owns the service account / secrets. Re-check Step 4. |
API not enabled | Secret Manager API isn’t enabled on the project. See Prerequisites. |
Next Steps
Section titled “Next Steps”Now that GCP is connected, head to Using the Secrets Manager to:
- Grant org members the right permissions to use (or manage) Secrets Manager.
- Reference your GCP secrets from CrewAI Platform environment variables.
If you want rotation-aware secrets that propagate without re-deploying, switch to GCP Workload Identity Federation — same secret store, no static credentials, secrets are fetched per kickoff.