Skip to main content
Direct secret values (used when externalSecret.enabled: false).
Never commit actual secret values to version control. Use secure secret management practices:
  • Store in separate, gitignored values file
  • Use Helm --set flags from CI/CD secrets
  • Use encrypted secret management (SOPS, sealed-secrets, etc.)
  • Prefer external secret stores for production

Database Secrets

secrets.DB_PASSWORD
string
default:""
Database password.Required: Yes (for database access)Security: Use strong, unique passwords. Rotate regularly.

GitHub Integration Secrets

secrets.GITHUB_TOKEN
string
default:""
GitHub personal access token or OAuth token.Auto-Populated: From Replicated license fieldPurpose: Required to pull crewai enterprise repositories.
secrets.GITHUB_CREW_STUDIO_TOKEN
string
default:""
GitHub token for Crew Studio integration.
secrets.GITHUB_CLIENT_SECRET
string
default:""
GitHub OAuth application client secret.Required For: GitHub OAuth authentication.
secrets.GITHUB_WEBHOOK_SECRET_TOKEN
string
default:""
Secret token for validating GitHub webhook payloads.Purpose: Ensures webhooks are from GitHub.
secrets.GITHUB_APP_PRIVATE_KEY
string
default:""
Private key for GitHub App authentication.Format: PEM-encoded RSA private key.

Rails Application Secrets

Do not set RAILS_MASTER_KEY: The chart uses a different Rails configuration approach and does not require RAILS_MASTER_KEY. If you include this in your configuration, you will receive a warning during installation. Remove RAILS_MASTER_KEY from both envVars and secrets sections.
secrets.SECRET_KEY_BASE
string
Rails secret key base for session signing and encryption.Default: Auto-generatedAuto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
rails secret
Upgrade Behavior: Once generated, the value persists across Helm upgrades to maintain session continuity.
secrets.CREWAI_PLUS_INTERNAL_API_KEY
string
default:""
Internal API key for service-to-service authentication.
secrets.ENCRYPTION_KEY
string
default:""
Application-level encryption key for sensitive data at rest.Auto-Generation: If not provided, automatically generated and persisted across upgrades via lookup function.Format: Hexadecimal string (recommended: 64 characters).Generation:
openssl rand -hex 32

SSL/TLS Secrets

secrets.SSL_PRIVATE_KEY
string
PEM-encoded private key for application-level TLS.Default: Auto-generated (if web.tls.autoGenerate: true)Auto-Generation: When web.tls.autoGenerate: true, a self-signed certificate and key are generated and persisted across upgrades.Manual Provision:
secrets:
  SSL_PRIVATE_KEY: |
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----
secrets.SSL_CERTIFICATE
string
PEM-encoded certificate for application-level TLS.Default: Auto-generated (if web.tls.autoGenerate: true)Format: Can include certificate chain (server cert + intermediates).
secrets.CREW_SSL_CERT
string
SSL certificate for crew service communication.Default: Auto-generated (if web.tls.autoGenerate: true)
secrets.CREW_SSL_KEY
string
SSL private key for crew service communication.Default: Auto-generated (if web.tls.autoGenerate: true)

AWS Secrets (Optional)

secrets.AWS_ACCESS_KEY_ID
string
default:""
AWS access key ID for S3 and other AWS services.When Required:
  • STORAGE_SERVICE: amazon with static credentials
  • Not using IAM roles (IRSA)
Production Recommendation: Use IAM roles (IRSA) instead of static credentials.
secrets.AWS_SECRET_ACCESS_KEY
string
default:""
AWS secret access key.

Azure Secrets (Optional)

secrets.AZURE_STORAGE_ACCESS_KEY
string
default:""
Azure Storage account access key.When Required: STORAGE_SERVICE: microsoft
secrets.AZURE_CLIENT_SECRET
string
default:""
Azure service principal client secret.
secrets.ENTRA_ID_CLIENT_SECRET
string
default:""
Microsoft Entra ID (Azure AD) application client secret.When Required: AUTH_PROVIDER: entra_idSetup: Generate in Azure Portal under App Registrations > Certificates & secrets.

Built-in LLM Secrets (Optional)

secrets.BUILT_IN_LLM_API_KEY
string
default:""
API key for built-in LLM provider.Purpose: Provides authentication for internal LLM calls used by the CrewAI Platform, including:
  • Improving Studio prompts
  • Generating automation descriptions
  • Chatting with flows
  • Other platform AI-assisted features
When Required: When using built-in LLM features (optional)Provider-Specific Requirements:OpenAI:Anthropic:Related Configuration:
  • Configure envVars.BUILT_IN_LLM_PROVIDER to specify the LLM provider
  • Configure envVars.BUILT_IN_LLM_MODEL to specify the model
Example:
secrets:
  BUILT_IN_LLM_API_KEY: "sk-proj-abc123..."

envVars:
  BUILT_IN_LLM_PROVIDER: "openai"
  BUILT_IN_LLM_MODEL: "gpt-4o-mini"

Python Package Registry

secrets.UV_DEFAULT_INDEX
string
PyPI registry URL for enterprise Python packages.Default: Auto-generated (in Replicated deployments)Auto-Generation (Replicated): Automatically built from license credentials:
  • Customer ID from: global.replicated.licenseFields.replicated_customer_id
  • Password from: global.replicated.dockerconfigjson (registry.crewai.com entry)
  • Generated URL format: https://customer_id:password@enterprise-pypi-registry-production.crewai.workers.dev/simple/
Manual Configuration (Non-Replicated):
secrets:
  UV_DEFAULT_INDEX: "https://username:password@enterprise-pypi-registry-production.crewai.workers.dev/simple/"
Requirements:
  • Must use HTTPS protocol
  • Must include authentication credentials in format username:password@host
  • Must end with /simple/ for PyPI compatibility
  • Automatically base64-encoded by the chart
Purpose: Provides access to CrewAI Enterprise Python packages for crew execution and platform functionality.Validation: The Helm test suite verifies proper URL format and structure.

Authentication Provider Secrets

Most authentication provider configuration values have moved to envVars (non-sensitive). Only the client secret remains in secrets for Entra ID authentication.For complete authentication setup, see the Environment Variables Authentication Configuration section.

Built-in Integrations Secrets

OAuth secrets are used when oauth.enabled: true. These secrets enable secure communication between the Built-in Integrations service and the Rails application for third-party integrations (Gmail, Google Calendar, Microsoft Outlook, etc.).
secrets.OAUTH_COOKIE_SECRET
string
default:""
Secret key for signing OAuth session cookies.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Purpose: Secures OAuth flow session data.Manual Generation:
openssl rand -base64 64
secrets.OAUTH_DB_ENCRYPTION_KEY
string
default:""
Encryption key for OAuth tokens stored in the database.Auto-Generation: If not provided, automatically generated as a 64-character hexadecimal string and persisted across upgrades.Format: Hexadecimal string (64 characters).Purpose: Encrypts sensitive OAuth tokens (access tokens, refresh tokens) at rest.Manual Generation:
openssl rand -hex 32
secrets.OAUTH_INTERNAL_API_KEY
string
default:""
Internal API key for authentication between the Built-in Integrations service and Rails application.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades.Important: This value is automatically duplicated as CREWAI_OAUTH_API_KEY for the Rails application. Both keys will always have the same value.Purpose: Enables secure service-to-service communication for OAuth operations.Manual Generation:
openssl rand -base64 64 | tr -d '\n'
Note: When set manually, both OAUTH_INTERNAL_API_KEY (used by Built-in Integrations service) and CREWAI_OAUTH_API_KEY (used by Rails) will use this value automatically.

OAuth Provider Secrets

OAuth provider secrets are optional and only required if you want to enable specific OAuth integrations. Each provider requires a client ID and client secret obtained from the provider’s developer console.
Configuration: OAuth provider credentials are configured via oauth.secrets.* values in your Helm values file, which support provider-level defaults and product-specific overrides. See the CrewAI Built-in Integrations Reference - OAuth Secrets Configuration for detailed configuration examples.For example, to configure Google OAuth for all Google products:
oauth:
  secrets:
    google:
      clientId: "123456789-abcdefg.apps.googleusercontent.com"
      clientSecret: "GOCSPX-abc123..."
The secrets documented below are the Kubernetes secret keys that are automatically generated from your oauth.secrets.* configuration.
Google OAuth Providers:
secrets.GOOGLE_GMAIL_CLIENT_ID
string
default:""
Google OAuth client ID for Gmail integration.
secrets.GOOGLE_GMAIL_CLIENT_SECRET
string
default:""
Google OAuth client secret for Gmail integration.
secrets.GOOGLE_CAL_CLIENT_ID
string
default:""
Google OAuth client ID for Google Calendar integration.
secrets.GOOGLE_CAL_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Calendar integration.
secrets.GOOGLE_DRIVE_CLIENT_ID
string
default:""
Google OAuth client ID for Google Drive integration.
secrets.GOOGLE_DRIVE_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Drive integration.
secrets.GOOGLE_CONTACTS_CLIENT_ID
string
default:""
Google OAuth client ID for Google Contacts integration.
secrets.GOOGLE_CONTACTS_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Contacts integration.
secrets.GOOGLE_SHEETS_CLIENT_ID
string
default:""
Google OAuth client ID for Google Sheets integration.
secrets.GOOGLE_SHEETS_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Sheets integration.
secrets.GOOGLE_SLIDES_CLIENT_ID
string
default:""
Google OAuth client ID for Google Slides integration.
secrets.GOOGLE_SLIDES_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Slides integration.
secrets.GOOGLE_DOCS_CLIENT_ID
string
default:""
Google OAuth client ID for Google Docs integration.
secrets.GOOGLE_DOCS_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Docs integration.
Microsoft OAuth Providers:
secrets.MICROSOFT_OUTLOOK_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Outlook integration.
secrets.MICROSOFT_OUTLOOK_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Outlook integration.
secrets.MICROSOFT_ONEDRIVE_CLIENT_ID
string
default:""
Microsoft OAuth client ID for OneDrive integration.
secrets.MICROSOFT_ONEDRIVE_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for OneDrive integration.
secrets.MICROSOFT_TEAMS_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Teams integration.
secrets.MICROSOFT_TEAMS_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Teams integration.
secrets.MICROSOFT_SHAREPOINT_CLIENT_ID
string
default:""
Microsoft OAuth client ID for SharePoint integration.
secrets.MICROSOFT_SHAREPOINT_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for SharePoint integration.
secrets.MICROSOFT_EXCEL_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Excel integration.
secrets.MICROSOFT_EXCEL_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Excel integration.
secrets.MICROSOFT_WORD_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Word integration.
secrets.MICROSOFT_WORD_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Word integration.
Other OAuth Providers:
secrets.HUBSPOT_CLIENT_ID
string
default:""
HubSpot OAuth client ID.
secrets.HUBSPOT_CLIENT_SECRET
string
default:""
HubSpot OAuth client secret.
secrets.NOTION_CLIENT_ID
string
default:""
Notion OAuth client ID.
secrets.NOTION_CLIENT_SECRET
string
default:""
Notion OAuth client secret.