When I try to login with the api key, it still asks me for my master password.
Is this intended?
I’m trying to create a daily backup script without needing to store my master password somewhere.
Yes, the API key will allow operations on your vault that don’t require the password, but decrypting your vault requires the password.
Which operations are that? Does it allow exporting with only the API keys?
You might not be understanding me correctly, so I’ll try to explain a bit more.
When I try to login trough the CLI using the API keys, I still need to unlock the vault and it seems that my only options are to either use --passwordenv or --passwordfile both of which require me to store my master password.
I’m just wondering if there’s a way to not involve my master password at all?
Only benefit I know using API key is bypassing 2FA from command line.
Normally client_id and client_secret will be enough to automate things with SaaS, but probably Bitwarden encryption solution doesn’t support multiple keys that will open Vault.
Exporting your vault requires your master password. In fact, it seems to be required for both unlocking and exporting. I believe each command (unlock, export) takes a password interactively, so you at least will have to copy and paste (if you store your master password in BW).
As noraisk said, logging in using the API key allows circumventing the 2FA, but any operation involving decrypting/encrypting your vault requires the master password, including export.