Secrets ManagerGet Started

Developer Quick Start

Bitwarden Secrets Manager enables developers, DevOps, and cybersecurity teams to centrally store, manage, and deploy secrets at scale. The Secrets Manager CLI is your primary vehicle for injecting secrets into your applications and infrastructure through an authenticated service account.

In this article, we'll demonstrate use of the Secrets Manager CLI by looking at a few ways to retrieve database credentials stored in your vault to be injected at container runtime for a Bitwarden Unified Docker image.

If you haven't already gone through the Secrets Manager Quick Start article, we recommend doing so before reading on.

Basic tutorial

In this most simple example, you'll retrieve database credentials stored in your vault and store them as temporary environment variables on a Linux system. Once stored, you'll inject them at runtime inside a docker run command. To do this, you'll need to have installed:

Authenticate

The Secrets Manager CLI can be logged in to using an access token generated for a particular service account. This means that only secrets and projects which the service account has access to may be interacted with using the CLI (learn more about service account permissions). There are a number of ways to authenticate a CLI session, but for the simplest option do so by saving an environment variable BWS_ACCESS_TOKEN with the value of your access token, for example:

Bash
export BWS_ACCESS_TOKEN=0.48c78342-1635-48a6-accd-afbe01336365.C0tMmQqHnAp1h0gL8bngprlPOYutt0:B3h5D+YgLvFiQhWkIq6Bow==

Retrieve the secret

Next, use the following command to retrieve your database username and store it as a temporary environment variable. In this example, fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff represents the specific identifier for the database username secret:

Bash
export SECRET_1=$(bws secret get fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff | jq '.value')

This command will save the value of your secret to a temporary environment variable, which will be cleared on system reboot, user logout, or in any new shell. Now, run the same command for the database password:

Bash
export SECRET_2=$(bws secret get 80b55c29-5cc8-42eb-a898-acfd01232bbb | jq '.value')

Inject the secret

Now that your database credentials are saved as temporary environment variables, they can be injected inside a docker run command. In this example, we've omitted many of variables required by Bitwarden Unified to emphasize the injected secrets:

Bash
docker run -d --name bitwarden .... -env BW_DB_USERNAME=$SECRET_1 BW_BD_PASSWORD=$SECRET_2 .... bitwarden/self-host:beta

When this command is run, your Docker container will start up and inject your database credentials from the temporarily stored environment variables, allowing you to securely spin up Bitwarden Unified without passing sensitive values as plaintext.

Advanced tutorial

In this example, you'll use the Secrets Manager CLI in your Docker image to inject database credentials stored in your vault at runtime. You'll accomplish this by manipulating your Dockerfile to install the CLI on the image, instead of on the host, and to retrieve the database credentials at container runtime. You'll then prepare your environment variables file for injection and string it all together by running a container.

Setup your Dockerfile

To install the Secrets Manager CLI in your Docker image, you'll need to add the following to your Dockerfile:

Bash
RUN curl -O https://github.com/bitwarden/sdk/releases/download/bws-v0.2.1/bws-x86_64-unknown-linux-gnu-0.2.1.zip && unzip bws-x86_64-unknown-linux-gnu-0.2.1.zip && export PATH=/this/directory:$PATH

Next, you'll need to construct RUN statements to retrieve each credential in order to make them available for injection. These statements will include inline authentication, however this isn't the only method you'd be able to implement:

Bash
RUN SECRET_1=$(bws secret get fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff --access-token $BWS_ACCESS_TOKEN | jq '.value')
Bash
RUN SECRET_2=$(bws secret get 80b55c29-5cc8-42eb-a898-acfd01232bbb --access-token $BWS_ACCESS_TOKEN | jq '.value')

These RUN statements will prompt your Dockerfile to retrieve the indicated secrets, where fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff represents the secret's specific identifier.

Prepare your env file

Now that your database credentials will be made available for injection, condition your settings.env file to be able to receive these values. To do this, replace relevant hardcoded values in the file with the designated variable names (in this case, SECRET_1 and SECRET_2):

Bash
# Database # Available providers are sqlserver, postgresql, mysql/mariadb, or sqlite BW_DB_PROVIDER=mysql BW_DB_SERVER=db BW_DB_DATABASE=bitwarden_vault BW_DB_USERNAME=$SECRET_1 BW_DB_PASSWORD=$SECRET_2

Run the container

Now that your database credentials are primed and ready for injection, start up your container and specify the access token to use with bws login as an environment variable:

Bash
docker run -e BWS_ACCESS_TOKEN=<your-access-token> docker-unified

When this command is run, your Docker container will start up and inject your database credentials from the values retrieved by the container, allowing you to securely spin up Bitwarden Unified without passing sensitive values as plaintext.

Make a suggestion to this page

Contact Our Support Team

For technical, billing, and product questions.

Name*
Bitwarden account email*
Verify account email*
Product*
Are you self-hosting?*
Subject*
Message...*

Cloud Status

Check status

© 2024 Bitwarden, Inc.TermsPrivacySitemap
This site is available in English.
Go to EnglishStay Here