Skip to content

Google Cloud Secret Manager

This guide walks you through configuring Google Cloud Secret Manager as a secret provider for your CrewAI Platform organization, using service account credentials. By the end, CrewAI Platform will be able to read secrets stored in your Google Cloud project and inject them as environment variable values at runtime.

A service account is the GCP-side identity CrewAI Platform will authenticate as.

In the IAM & Admin → Service Accounts console, click Create Service Account.

  • Service account name: crewai-secrets-reader
  • Service account ID: auto-fills from the name (e.g. crewai-secrets-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com)
  • Description (optional): “Read-only access to Secret Manager for CrewAI Platform”

Click Create and Continue. Skip the optional grants on this screen — you’ll attach the role in Step 2. Click Done.

For full details, see the GCP documentation: Create service accounts.

CrewAI Platform needs permission to list and read secrets in your project. Use one of two scopes — project-wide for simplicity, or per-secret for least privilege.

Project-wide (simpler)

In the IAM console, click Grant Access and:

  • New principals: the service account’s email from Step 1.
  • Role: Secret Manager Secret Accessor (roles/secretmanager.secretAccessor).

Click Save.

Or via gcloud:

Terminal window
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:crewai-secrets-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"
Per-secret (least privilege)

Grant the role only on the specific secrets CrewAI Platform should access. Repeat for each secret:

Terminal window
gcloud secrets add-iam-policy-binding YOUR_SECRET_NAME \
--member="serviceAccount:crewai-secrets-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor" \
--project=YOUR_PROJECT_ID

Or in the console: open each secret in Secret Manager, click Permissions in the right panel, and grant Secret Manager Secret Accessor to the service account.

Open the service account from Step 1 in the IAM & Admin → Service Accounts console.

  • Click the Keys tab.
  • Click Add KeyCreate new key.
  • Key type: JSON.
  • Click Create. The browser downloads a JSON file — keep it secure; it cannot be re-downloaded.

Or via gcloud:

Terminal window
gcloud iam service-accounts keys create ./crewai-secrets-reader.json \
--iam-account=crewai-secrets-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com

Step 4 — Add the Credential in CrewAI Platform

Section titled “Step 4 — Add the Credential in CrewAI Platform”

In CrewAI Platform, navigate to SettingsSecret Provider Credentials and click Add Credential.

Fill the form:

  • Name: A descriptive name, e.g. gcp-prod.
  • Provider: Google Cloud Secret Manager.
  • Project ID: Your GCP project ID (e.g. my-crewai-prod).
  • Service Account JSON: Paste the entire contents of the JSON file you downloaded in Step 3.
  • (Optional) Check Set as default credential for this provider. The default credential is used by environment variables that reference GCP secrets without specifying a credential explicitly.

Click Create.

Step 5 — Create at Least One Secret in GCP

Section titled “Step 5 — Create at Least One Secret in GCP”

If you don’t already have secrets in GCP Secret Manager, create one now so you can verify the connection in Step 6.

In the Secret Manager console, click Create secret.

  • Name: A unique name, e.g. openai-api-key.
  • Secret value: Either paste a raw value or upload a file.
  • Leave the rotation, replication, and other settings at their defaults unless you have a specific requirement.

Click Create secret.

Or via gcloud:

Terminal window
echo -n "sk-your-actual-key" | gcloud secrets create openai-api-key \
--data-file=- \
--project=YOUR_PROJECT_ID \
--replication-policy=automatic

For full details, see the GCP documentation: Create a secret.

Back in CrewAI Platform, on the Secret Provider Credentials page, find the credential you just created and click Test Connection.

A success toast confirms that CrewAI Platform can authenticate to GCP and read secrets from your project.

If the test fails, check the most common causes:

SymptomLikely cause
PERMISSION_DENIED on listing secretsService account is missing roles/secretmanager.secretAccessor, or you scoped it per-secret (list is not granted). Re-check Step 2.
PERMISSION_DENIED on secretmanager.secrets.accessSame as above, but for a specific secret. Confirm the service account has accessor role on the secret in question.
unauthorized_client / invalid_grantThe pasted Service Account JSON is invalid, expired, or for a deleted service account. Re-create the key (Step 3) and re-paste.
Project ID does not matchThe Project ID field in CrewAI Platform doesn’t match the project that owns the service account / secrets. Re-check Step 4.
API not enabledSecret Manager API isn’t enabled on the project. See Prerequisites.

Now that GCP is connected, head to Using the Secrets Manager to:

  • Grant org members the right permissions to use (or manage) Secrets Manager.
  • Reference your GCP secrets from CrewAI Platform environment variables.

If you want rotation-aware secrets that propagate without re-deploying, switch to GCP Workload Identity Federation — same secret store, no static credentials, secrets are fetched per kickoff.