API call for creating collections
Use case : we have a git repo used to track and peer-review changes made on corporate collections (mainly add new ones and change access based on group policy). For now, we are locally leveraging the CLI app to create new collections (70+ users and soon nearly 150+, believe me, automation is much needed), with the help of a custom docker tool for parsing the repo. A properly automated process would instead trigger a Jenkins job in charge of syncing actual collections with the desired state described in the git repo. However it is currently not possible due to the need of a personal admin account to unlock the vault with the CLI.
The REST API currently have almost everything needed to properly automate such a use-case, but a single call is missing : the ability to create collections. There already are methods for editing existing collections (PUT, eg. allowing a new group to access the collection) and deleting (DELETE, eg. removing a collection after the corresponding project has ended). Having a POST method for creating collections without the need of a personal admin account would allow to create new collections as described in the reference (in our use-case, a git repo with YAML representation and a custom parsing tool).
From a security stand point, creating collection is not a sensitive operation, as newly created collections are empty and it’s up to users to share encrypted content in it. Moreover, there is already a collection editing method, which can be used maliciously if the automation system is compromised (eg. silently giving access to an unauthorized user/group). So adding a POST method will not lower the existing security level. It might actually even raise the overall safety by avoiding the need for admins to store there own credentials on automation components.
Related topics + references
- The main feature request related to CRUD operations through API is here : Bitwarden REST API for automated secrets management on self-hosted server - #18 by Yonggan
However it is not really relevant anymore, due to the present-days well documented API. This topic is also less specific than this new one, because I’m focusing on non-encrypted content while some of the comments in the original post were asking to manipulate encrypted secrets through the API
- I also saw a few community comments saying that it’s possible to browse through the CLI code in order to learn how to create collections without the official API being leveraged. I had a quick glance to it, and I feel it might be possible, but I believe we shouldn’t have to fiddle around with unsupported practices in order to do such basic management operations. I think providing a complete CRUD model for unencrypted data easing large-team management is consistent with the rest of Bitwarden’s vision on overall password management and security : having a modern, reliable and integrated way of managing sensitive access control data.
Thanks for reading, feel free to correct me if I’m wrong or provide ressources that I might have missed while preparing this feature-request.