Currently all IDs are unique, however when generating/using Secrets Manager in other resources, such as terraform or kubernetes, it’s not always easy to pass a uniquely generated ID between these products.
I’ve repeatedly requested the ability to use the key/secret name, however one issue is that Bitwarden Secrets Manager doesn’t enforce unique key/secret names, so these tools have to work around that limitation, or decline the feature request to use the key name in the first place.
An example where this is mentioned:
opened 01:58PM - 28 Aug 23 UTC
closed 04:04AM - 28 Jun 24 UTC
kind/feature
**Is your feature request related to a problem? Please describe.**
Bitwarden Se… crets Manager is currently not supported by external-secrets.
**Describe the solution you'd like**
Bitwarden recently released their Secrets Manager solution, which has better API support and is meant to be use as a secret store to be used programmatically.
https://bitwarden.com/products/secrets-manager/
**Describe alternatives you've considered**
N/A
**Additional context**
Bitwarden SDK: https://github.com/bitwarden/sdk/
The following can be used to authenticate using a service account:
```
curl -X POST https://vault.bitwarden.com/identity/connect/token -H "content-type: application/x-www-form-urlencoded" --data 'scope=api.secrets&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&grant_type=client_credentials'
{"access_token":"<TOKEN>","expires_in":3600,"token_type":"Bearer","scope":"api.secrets","encrypted_payload":"<PAYLOAD>"}
```
The resulting access token can be used to retrieve the server by ID:
```
curl https://vault.bitwarden.com/api/secrets/<SECRET_ID> -H 'Content-Type: application/json' -H "Authorization: Bearer <TOKEN>"
{"id":"<SECRET_ID>","organizationId":"<ORG_ID>","key":"<KEY>","value":"<VALUE>","note":"<NOTE>","creationDate":"2023-08-28T12:32:50.6798356Z","revisionDate":"2023-08-28T12:32:50.6798357Z","projects":[{"id":"<PROJECT_ID>","name":"<PROJECT_NAME>"}],"read":true,"write":false,"object":"secret"}
```
Please note that the returned secret looks encrypted, I still need to figure out how to decrypt it.
However, another option would be to use the `bws secret get <SECRET_ID> -t <SERVICE_ACCOUNT_SECRET>` command, which returns the secret in clear text.
1 Like