Secrets ManagerGet Started

Secrets Manager Quick Start

Bitwarden Secrets Manager enables developers, DevOps, and cybersecurity teams to centrally store, manage, and deploy secrets at scale.

The Secrets Manager web app will be your home for setting up your secrets management infrastructure. You'll use it to add and organize secrets, create systems of permissions to fit your needs, and generate access tokens for use by your applications. Once complete, you'll move on to the Developer Quick Start guide to learn how to inject secrets into your machines and applications.

Activate Secrets Manager

Secrets Manager can be activated from your organization's Billing → Subscription page. You must be an organization owner to do this:

Activate Secrets Manager |
Activate Secrets Manager

Once activated, Secrets Manager will be available through the web app using the product switcher:

Product switcher |
Product switcher

Before your take your first steps with Secrets Manager though, you'll need to explicitly invite a few organization members to join.

Give members access

tip

Before proceeding, we recommend setting up one or more groups for users of Secrets Manager. You will need to give members access to Secrets Manager through the Members page, but you can use groups to scaleably assign access to secrets once your vault is populated.

To give members access to Secrets Manager you must be an organization owner or admin:

  1. Open your organization's Members tab and select the members your want to give access to Secrets Manager.

  2. Using the menu, select Enable Secrets Manager to grant access to selected members:

Add Secrets Manager users |
Add Secrets Manager users

First steps

Your secrets vault

Use the product switcher to open the Secrets Manager web app. If this is your first time opening the app you'll have an empty vault, but eventually it'll be full of your projects and secrets:

Secrets vault |
Secrets vault

Let's start filling your vault.

Add a project

Projects are collections of secrets logically grouped together for management access by your DevOps, cybersecurity, or other internal teams. It's important to take into account, when creating your projects, that projects will be the primary structures through which you assign members access to secrets. To create a project:

  1. Use the New dropdown to select Project:

    Create a project |
    Create a project

  2. Enter a Project name.

  3. Select the Save button.

Assign members to your project

Adding organization members to your project will allow those users to interact with the project's secrets. To add people to your project:

  1. In the new project, select the People tab.

  2. From the People dropdown, type or select the member(s) or group(s) to add to the project. Once you've selected the right people, use the Add button:

    Add people to a project |
    Add people to a project

  3. Once members or groups are added to the project, set a level of Permissions for those members or groups. Members and groups can have one of the following levels of permission:

    • Can read: Members/groups will be able to view existing secrets in this project.

    • Can read, write: Members/groups will be able to view existing secrets and create new secrets in this project.

Add secrets

Now that you have a project with a handful of members who can help you manage it, let's add some secrets to the project. Secrets are sensitive key-value pairs stored in your vault, typically things that should never be exposed in plain code or transmitted over unencrypted channels, for example:

  • API Keys

  • Application Configurations

  • Database Connection Strings

  • Environment Variables

You can import secrets directly to your vault as a .json file or add secrets manually:

To import your secrets:

  1. Review this document for help properly formatting an import file.

  2. Select Settings Import data from the left-hand navigation:

    Import data |
    Import data

  3. Select Choose File and choose a .json file for import.

To add secrets manually:

  1. Use the New dropdown to select Secret:

    Create a secret |
    Create a secret

  2. In the New Secret window's top-most section, enter a Name and Value. Adding Notes is optional.

  3. In the Project section, type or select the project to associate the secret with. A few key points:

    • Each secret can only be associated with a single project at a time.

    • Only organization members with access to the project will be able to see or manipulate this secret.

    • Only service accounts with access to the project will be able to create a pathway for injecting this secret (more on that soon).

  4. When you're finished, select the Save button.

Repeat this process for as many secrets as you want to add to your vault.

Add a service account

Now that you've got a project full of secrets, it's time to start constructing machine access to those secrets. Service accounts represent non-human machine users, or groups of machine users, that require programmatic access to some of the secrets stored in your vault. Service accounts are used to:

  • Appropriately scope the selection of secrets a machine user has access to.

  • Issue access tokens to facilitate programmatic access to, and the ability to decrypt, edit, and create secrets.

To add a service account for this project:

  1. Use the New dropdown to select Service account:

    New service account |
    New service account

  2. Enter a Service account name and select Save.

  3. Open the service account and, in the Projects tab, type or select the name of the project(s) that this service account should be able to access. For each added project, select a level of Permissions:

    • Can read: Service account can retrieve secrets from assigned projects.

    • Can read, write: Service account can retrieve and edit secrets from assigned projects, as well as create new secrets in assigned projects or create new projects.

tip

Fully utilizing write access for service accounts is dependent on a forthcoming CLI release. For now, this simply makes the option available in the UI. Stay tuned to the Release Notes for more information.

Create an access token

Access tokens facilitate programmatic access to, and the ability to decrypt and edit, secrets stored in your vault. Access tokens are issued to a particular service account, and will give any machine that they're applied to the ability to access only the secrets associated with that service account. To create an access token:

  1. Select Service accounts from the navigation.

  2. Select the service account to create an access token for, and open the Access tokens tab:

    Create access token |
    Create access token

  3. Select the Create access token button.

  4. On the Create Access Token panel, provide:

    • A Name for the token.

    • When the token Expires. By default, Never.

  5. Select the Create access token button when you're finished configuring the token.

  6. A window will appear printing your access token to the screen. Copy your token to somewhere safe before closing this window, as your token cannot be retrieved later:

    Access token example |
    Access token example

This access token is the authentication vehicle through which you'll be able to script secret injection to your machines and applications.

Next steps

Now that you've got the hang of creating the infrastructure for securely managing secrets, and of creating pathways for machine access to secrets, let's continue on to the Developer Quick Start guide.



© 2023 Bitwarden, Inc.
TermsPrivacySitemap