docs(secrets-manager): WI env vars now follow deployment assignment

Rewrite the Visibility & Scope section in the Secrets Manager overview
(en/ar/ko/pt-BR) to reflect the per-deployment scoping shipped in
crewAIInc/crewai-plus#3205: WI-backed env vars now resolve only when
explicitly assigned to a deployment, matching the assignment model that
plaintext env vars have always used. Per-kickoff cost is reframed as
proportional to assigned WI-backed variables rather than the entire
organization's WI footprint.

Refs CON-205
This commit is contained in:
Heitor Sammuel Carvalho
2026-05-21 07:51:09 +01:00
parent a882e13305
commit 157f4fcfc6
4 changed files with 8 additions and 28 deletions

View File

@@ -56,14 +56,9 @@ Setting up Secrets Manager is a three-step flow that involves both your cloud pr
## Visibility & Scope
<Warning>
Workload Identity configurations are **organization-wide on each deployment** today — there is no per-automation binding. Two consequences worth knowing before you adopt the Workload Identity path broadly.
</Warning>
WI-backed environment variables follow the same assignment model as plaintext environment variables: an automation resolves only the WI-backed variables explicitly assigned to it. Assign a WI-backed variable to an automation from the Environment Variables page on that automation; variables defined at the organization level or in a Studio project are not resolved at kickoff until you assign them.
- **Every automation kickoff runs the secret-fetch phase**, regardless of whether the automation references any WI-backed environment variable. On every crew, flow, training, test, or checkpoint-restore kickoff, the runtime fetches all WI-backed environment variables configured for the deployment and writes them into the process environment. Cost: a small added latency per kickoff plus one cloud-side audit-log entry per WI-backed environment variable.
- **All automations on the deployment see all WI-resolved environment variables.** You cannot today restrict a specific Workload Identity configuration (or the secrets it resolves) to a specific automation. Treat WI-backed secrets as available to every automation in the organization.
Per-automation scoping is on the roadmap. Until then, plan Workload Identity usage at the organization level, not per workflow — and keep WI-backed environment variables limited to secrets every automation in the organization is allowed to read.
Each kickoff still runs the secret-fetch phase. On every crew, flow, training, test, or checkpoint-restore kickoff, the runtime fetches the WI-backed environment variables assigned to that automation and writes them into the process environment. Cost is proportional to the number of assigned WI-backed variables: a small added latency per kickoff plus one cloud-side audit-log entry per assigned variable.
## Permissions