Secrets Manager Overview
Overview
Section titled “Overview”The Secrets Manager feature lets your organization connect an external secret store — AWS Secrets Manager, Google Cloud Secret Manager, or Azure Key Vault — and reference those secrets directly from environment variables on your automations and crews. Instead of pasting plaintext values into the platform, you store one set of credentials per provider and refer to secrets by name.
This gives you:
- Centralized storage — manage secrets in your provider rather than editing CrewAI Platform configuration. CrewAI Platform keeps no plaintext copy of the secret value.
- Reduced exposure — sensitive values never live in plaintext in your CrewAI Platform configuration.
- Cloud-native auditability — your provider’s audit log records every secret read.
Two Paths: Static Credentials vs Workload Identity
Section titled “Two Paths: Static Credentials vs Workload Identity”There are two ways to wire CrewAI Platform up to your cloud’s secret store. They differ significantly in rotation behavior, so choose based on how often your secrets rotate and how strict your security posture is.
| Aspect | Static Credentials | Workload Identity (OIDC Federation) |
|---|---|---|
| Authentication | Long-lived access keys / service account JSON stored in CrewAI Platform | Short-lived tokens minted per worker process; no static credentials stored anywhere |
| Rotation propagation | Resolved at deploy time and baked into the deployment’s container image — rotated values require a re-deploy | Resolved at automation execution time — rotated values propagate to the next kickoff with no re-deploy |
| Setup effort | Lower — paste keys / upload service account JSON | Higher — register CrewAI Platform as an OIDC provider in your cloud, configure trust policies |
| Best for | Getting started, infrequently-rotated secrets, single-account deployments | Production, frequently-rotated secrets, compliance-driven environments that prohibit long-lived credentials |
Choose your setup guide
Section titled “Choose your setup guide”| Provider | Static Credentials | Workload Identity |
|---|---|---|
| AWS Secrets Manager | AWS — static keys / AssumeRole | AWS — Workload Identity (OIDC) |
| Google Cloud Secret Manager | GCP — service account key | GCP — Workload Identity Federation |
| Azure Key Vault | Azure — client secret | Azure — Workload Identity Federation |
How It Fits Together
Section titled “How It Fits Together”Setting up Secrets Manager is a three-step flow that involves both your cloud provider and CrewAI Platform:
- An admin configures a provider credential. This is the cloud-side work — and the work differs depending on which path (static credentials or Workload Identity) you choose. Provider-specific guides cover this end to end.
- An admin (or a permitted member) references a secret in an environment variable. From the Environment Variables page, the user picks a provider credential and selects the secret name. See Using the Secrets Manager.
- The automation receives the resolved value at runtime. When a crew or automation runs, CrewAI Platform fetches the secret from your provider and injects it as the environment variable’s value. With Workload Identity, this fetch happens on every kickoff (rotation-aware). With static credentials, this fetch happens at deploy time and the value is baked into the deployment image.
Visibility & Scope
Section titled “Visibility & Scope”Permissions
Section titled “Permissions”Two CrewAI Platform features control access to Secrets Manager:
secret_providers— controls who can view or manage provider credentials.environment_variables— controls who can create and edit environment variables (including those that reference secrets).
A third feature controls Workload Identity setup:
workload_identity_configs— controls who can view or manage Workload Identity configurations. Required only if you’re using the Workload Identity path.
Owners always have full access. Members do not receive access to secret_providers or workload_identity_configs by default and must be granted permission via a custom role. See Permissions (RBAC) for the full matrix and step-by-step instructions.
Next Steps
Section titled “Next Steps”Pick your path:
- Static credentials (simpler, requires re-deploy on rotation):
- Workload Identity (rotation-aware, no re-deploy):
- Then: Use secrets in environment variables and manage permissions