Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add Bitwarden Secrets Manager adapter #1186

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

oandalib
Copy link

@oandalib oandalib commented Nov 2, 2024

Bitwarden Secrets Manager has better access controls for exposing just the secrets needed for my project. It is an ideal alternative to using Bitwarden with my personal account where all of my other logins are also exposed, or creating a secondary Bitwarden account. They offer a free plan on top of your regular Bitwarden account which should be sufficient for most people -> https://bitwarden.com/products/secrets-manager/.

Due to Bitwarden Secrets Manager using a session token, I made the account field in the "fetch secrets" optional.

Docs PR: basecamp/kamal-site#145

@djmb
Copy link
Collaborator

djmb commented Nov 4, 2024

Thanks for the PR - @oandalib!

I've made a few notes. I think also that we need to add support for projects (https://bitwarden.com/help/secrets-manager-cli/#project).

We could use the --from option to specify the project:

kamal secrets fetch --adapter bitwarden-sm --from <project-id> SECRET1 SECRET2 SECRET3

And also allow:

kamal secrets fetch --adapter bitwarden-sm  <project-id1>/SECRET1 <project-id1>/SECRET2 <project-id2>SECRET3

in case you wanted to fetch from multiple projects.

@oandalib
Copy link
Author

oandalib commented Nov 5, 2024

Thanks for the comments. That looks useful to add, and I will do so.

Do note that the CLI only supports getting secrets by an ID which is generated by Bitwarden Secrets Manager, and not via secret names.

@oandalib oandalib force-pushed the bitwarden-secrets-manager branch from 09cdccf to b3cb114 Compare November 5, 2024 09:10
@oandalib
Copy link
Author

oandalib commented Nov 5, 2024

Once secrets are created, they are identified by a UUID. The only time you can pass in a project id (also a UUID) is when doing a list secrets operation for a specific project. I think Bitwarden Secrets Manager does a good job of separating and limiting access to specific secrets through a combination of projects and machine accounts. So I would propose this will be sufficient:

  1. Fetch all secrets that the machine account has access to:
kamal secrets fetch --adapter bitwarden-sm *
  1. Fetch all secrets from the project specified that the machine account has access to:
kamal secrets fetch --adapter bitwarden-sm * --from <project-uuid>
  1. Fetch single/multiple items:
kamal secrets fetch --adapter bitwarden-sm <secret-uuid-1> <secret-uuid-2>

For 3, note that <project-uuid>/<secret-uuid-1> is not supported. As far as the CLI/API is concerned for GET operations, there is no link between projects and secrets.

I can update the documentation ticket once we get closer to merging this. Let me know what you think with the new approach and changes!

@janosrusiczki
Copy link

@oandalib I'm very much looking forward to this (and I don't think I am the only one). I just wanted to give you a heads up that there's now a conflict.

@oandalib oandalib force-pushed the bitwarden-secrets-manager branch 3 times, most recently from a5d3626 to ce647fb Compare November 23, 2024 03:11
@oandalib
Copy link
Author

Thanks for the heads up @janosrusiczki!

I resolved the conflict and decided to use the keyword "all" rather than "*" for getting all of the secrets.

Should be ready for you @djmb 😃

end

def login(account)
nil
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agh my review was stuck in pending 🙈, sorry!

Can we implement this method so it checks if you are logged in and prompts you to do so if you are not?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All good!

Added.

@oandalib oandalib force-pushed the bitwarden-secrets-manager branch from ce647fb to aa9fe4c Compare December 3, 2024 08:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants