Limited Permission API Keys

dkmonaghan · March 3, 2023, 9:37am

Feature name

Feature function

Our situation is that we wish to have an on-premise script download our Bitwarden Organisation’s audit logs on a schedule, using the API.

The problem is that the Organisation’s API key has far more access than just ‘reading logs’; there’s the ability to manage and delete groups and collections, users, etc.

As a result, we’ve decided not to implement the functionality we wanted to with the API due to there being no way to lock down the access available to our single, org-wide API key.

It would be a great win for security if we could generate keys with restricted permissions, adopting a principle of least privilege approach for API keys.

dhilgarth · March 5, 2024, 7:32am

As a means of consolidation: this has been asked here as well:

Create API Keys for a single entry or folder
Improved API Keys (contains links to even more similar requests)
Feature: API keys with limited scope and permissions [Security by Design]