Walkthrough: Bitwarden’s New Secrets Manager
It was only a matter of time before a popular password manager, such as Bitwarden, would create a secrets manager, an application to create and store security tokens so they don’t have to be hard-coded into the application itself. It makes sense, especially given that Bitwarden is open source and the folks behind it seem to understand the growing need for managing secrets in cloud native and container technology.
And that’s what they’ve done, created the ideal password manager for teams that work with things like containerized and cloud native deployments. I will warn you, however, that the workflow of the Secrets Manager is a bit confusing at first. But once you understand how it works, you’ll be using it like a champ.
Although this new Secrets Manager will be a separate product from the company’s flagship Password Manager, the combination of the two gives Bitwarden a leg up over most of the competition. As of this moment, pricing is TBD for the Secrets Manager, as it is still in beta.
How the Bitwarden Secrets Manager Works
First off, you must have a valid Bitwarden account that includes organizations. For that, you’ll probably want one of the Teams accounts (otherwise, you are limited in the number of organizations and/or members you add).
Enable the Beta
The first thing you must do is enable the beta. To do that, log into your Bitwarden Web Vault. Click the Organizations tab and then click Billing > Subscription. You should see a checkmark for Enable Secrets Manager Beta (Figure 1).
-
Figure 1: Enabling the beta for the Bitwarden Secrets Manager.
Accessing the Secrets Manager
Once the Secrets beta has been enabled, click on the icon to the left of the profile drop-down near the upper right corner and select Secrets Manager Beta (Figure 2).
-
Figure 2: Accessing the Bitwarden Secrets Manager from the Product Switcher.
You should now find yourself on the main Bitwarden Secrets Manager page (Figure 3).
- Figure 3: The Bitwarden Secrets Manager main page.
Create a Service Account
The next step is to create a service account that will hold something like an API token. To do that, click Service Accounts in the left navigation. On the resulting page (Figure 4), click New Service Account.
- Figure 4: Once you’ve created your first Service Account, you will create the next account from the New drop-down in the upper right corner.
In the resulting popup (Figure 5), give the new Service Account a name and click Save.
-
Figure 5: Naming your Service Account.
You will then be directed back to the Service Account page, where your new entry is listed. Click the name of that new entry and you can then add Projects to the Service Account, add members, and access tokens.
Before you can add projects and members, they have to exist.
Adding Projects
Projects are a way to collect secrets that should be logically grouped together. Let’s create a project that can be added to the Service Account. Click Projects in the left navigation and then click Add New Project. Give the project a name and click Save. Just like with Service Accounts, once you’ve created a project, you can then add People and Service Accounts to the Project (Figure 6). With People, however, those are added in the Organizations section of the Bitwarden Password Manager.
-
Figure 6: A newly created project for the Bitwarden Secrets Manager.
Add Projects and People to a Service Account
Service accounts represent non-human accounts (such as system accounts, applications, and deployment pipelines). Now that we’ve had our detour through Projects, you’ll want to add information to your new Service Account. Go back to the Service Account section and click to open the Service Account you just added. Add a Project (if necessary) and add People.
Create an Access Token
An Access Token is the authentication vehicle that allows you to script secret injection to your application and service deployments or machines and applications as well as the ability to decrypt secrets that are stored in your vault. This prevents you from having to save actual passwords or use them in your manifests and/or code. H
ow this works is pretty simple: Each Access Token is issued to a particular service account. With that association, it will grant any machine it’s applied to access to the secrets associated with that service account. So, to make this work, you must create Service Accounts and then add Secrets to them. Those secrets are then accessible to any Access Token that has access to a particular Service Account. It’s a bit confusing, but once you start playing around with the Secrets Manager, you’ll pick up on the workflow.
To create your first token, click on the Access Tokens tab and click New Access Token. In the popup (Figure 7), give your new Access Token a name, select the required permissions from the Permissions drop-down, and give it an expiration date.
-
Figure 7: Adding a new Access Token to the Secrets Manager.
Click New Access Token to generate the access token you’ll use for the service in question. One thing to keep in mind is that you must copy the new access token, as they aren’t stored nor can be retrieved. So click Copy Token (Figure 8) to save it to your computer’s clipboard.
-
Figure 8: Our new access token is ready to be copied.
At any time, you can manually revoke an Access Token by navigating to Service Accounts > Access Tokens, selecting the access token, clicking the associated menu, and clicking Revoke Access Token.
And that’s the basics of using the new Bitwarden Secrets Manager. For any organization that already uses Bitwarden and needs to be able to manage Secrets as well, this will be a welcome addition. For those who’ve yet to try Bitwarden, this might be just the feature to win you over.