Feature: API keys with limited scope and permissions [Security by Design]

In our Security by Design setup we’d like to be able to use BitWarden (cli, api) in our automation according to least privileges.

One way would be to allow multiple API keys per user (or org?) and be able to give these limited scope; e.g. only one collection and/or one or more secrets.
As here only read-only access is required, ideally that would be an option too (read-only, read/write, admin = incl. create/delete)

E.g. if a system is only allowed to update our monitoring, we could create an API key for that system that can read our monitoring credentials (in a separate collection).

The ability to limit api to collections, folders, etc would be wonderful! I’m a bit surprised this doesn’t exist already!

Indeed, we would love to have read-only API keys for log ingestion by our SIEM. Hopefully Bitwarden puts this on their roadmap soon.

This is a must for Businesses, we can’t have the most privileged API Key used where we only need to read logs.

I would upvote but I don’t have any votes yet. We need to be able to monitor the event logs without having to give full access to the org!

Any updates here? Did anyone find a workaround to limit the edit/delete access for an API key? We only need to read logs, but it’s not secure to use the organization API key, that has access to adding an admin user, for that.

Adding API keys with limited scope and permissions moves Bitwarden Password Manager into their other product “Secret Manager” so I don’t expect Bitwarden to prioritize this any time soon if ever.