bitwarden

Bitwarden Secrets Manager

Joe Spoon

2 min read

Bitwarden Secret Manager is a service provided by Bitwarden if you pay for the $10 per year license along with their normal password management service. With the Bitwarden Secrets Manager, you can store secrets with service account account via a command line tool or development packages.

I am working on migrating in code secrets to this type of service and thought it would be a good idea to first try the Bitwarden.SDK Nuget package. I had to turn on Alpha support in Visual Studio 2022 to see the Nuget package, but once I had it, I installed it into my existing DotNet 6.0 project and coded around it. The goal for me was to remove an in code secret, move it to the secrets manager, and then use this tool to grab it as a variable and then use it in the code.

On my local machine, it worked great when debugging. I then rolled the installation up in a docker container using the Microsoft Artifact Registry Microsoft ASP docker image.

When I pushed this image out, it suddenly didn't work. I built in logging to figure out what was going on and determined that even though the Nuget package was installed, it was missing a C library that was not in this Microsoft ASP image.

At this point, I had a choice to make, either fix this Microsoft ASP Docker image and deploy it to my own storage to use or use the secret manager's CLI tool in the background (BWS).

I went with the latter, thinking that may be an easier implementation. I ran into an issue with that too. I tried to develop a bash script to auto download and place the BWS binary in the /bin folder but that did not work. When I manually move the file in testing, it said that BWS required GLibC which is also missing from this Microsoft ASP Docker image.

Ultimately, I created my own Ubuntu 22.04 LTS based image and downloaded BWS, installed it along with other tools that may be needed for maintenance of this utility. I also installed DotNet 6.0 SDK on this system.

I was then able to deploy my solution as it's own API that my other servers can hit and grab secrets. This essentially extends the capability of the command line tool from one machine to many. I can now add secrets in the Bitwarden Secrets Manager under my organization Id and then grab that from any of my other services. I can also extend this to other customers by deploying this service to their environment and then use environment variables in the docker-compose and/or Portainer in my case to pass over an API token for authentication to the BWS Extended API, the Access Token for the Bitwarden Secret Manager's vault, and the organization Id to pull the information from.

At that point, the other services that call this new API can just specify the API token in their own Docker environment variables and then in code ask for which secret they need.

This is a summary for now but I will be adding a more technical write up below with the image locations, how it all fits together and how it can be used if anyone is interested or if I need this information in the future.

API service base image location: https://registry.gitlab.com/spxxn-bws/bws-api-extension/bwsubuntu

API service image location: https://registry.gitlab.com/spxxn-bws/bws-api-extension/bwsapiextension

API service code location: Files · master · spxxn-bws / BWS API Extension · GitLab

My plan is to extend this for more enterprise use in the future. Currently only one API token, organization Id, and BWS access token is supported. This is a very simple program currently only used to grab secret information. It cannot add secrets, edit existing secrets, or delete secrets.

Read more