small-hack/smol-k8s-lab
small-hack/smol-k8s-lab
3
1
Fork 0
Code Issues 14 Pull requests 2 Projects Releases 153 Packages Wiki Activity Actions

bitwarden: check local env vars for password or api key #11

New issue
Closed
opened 2022-12-06 12:07:58 +00:00 by jessebot · 9 comments
jessebot commented 2022-12-06 12:07:58 +00:00 (Migrated from github.com)
Copy link
No description provided.
cloudymax commented 2022-12-07 19:10:35 +00:00 (Migrated from github.com)
Copy link

Looks like this can be accomplished via using the bw login --apikey option

according to: https://bitwarden.com/help/cli/#using-an-api-key

In scenarios where automated work is being done with the Bitwarden CLI, you can save environment variables to prevent the need for manual intervention at authentication.

Environment Variable Name Required Value
BW_CLIENTID client_id
BW_CLIENTSECRET client_secret

to get the api-key you have to login to the web-vault via bitwarden.com..

From there you need to click on the user icon at the top-right of the page and select account settings

Screenshot 2022-12-07 at 19 46 02

Next you'll need to select the Security option form the menu on the left, and then select the Keys tab.

Screenshot 2022-12-07 at 19 46 34

At the bottom of the page you should get the options to view the key:

Screenshot 2022-12-07 at 19 47 33

Enter your password at the following screen, and get your api key

Screenshot 2022-12-07 at 19 47 02

Then export the client and client secret values as BW_CLIENTID and BW_CLIENTSECRET.

bw login --apikey
You are logged in!

To unlock your vault, use the `unlock` command. ex:
$ bw unlock
Looks like this can be accomplished via using the `bw login --apikey` option according to: https://bitwarden.com/help/cli/#using-an-api-key > In scenarios where automated work is being done with the Bitwarden CLI, you can save environment variables to prevent the need for manual intervention at authentication. Environment Variable Name | Required Value -- | -- BW_CLIENTID | client_id BW_CLIENTSECRET | client_secret to get the api-key you have to login to the web-vault via [bitwarden.com.](https://vault.bitwarden.com/#/login). From there you need to click on the user icon at the top-right of the page and select `account settings` <img width="366" alt="Screenshot 2022-12-07 at 19 46 02" src="https://user-images.githubusercontent.com/84841307/206270637-2f6e621d-0334-49a4-b7f7-908c4b3609c7.png"> Next you'll need to select the `Security` option form the menu on the left, and then select the `Keys` tab. <img width="1157" alt="Screenshot 2022-12-07 at 19 46 34" src="https://user-images.githubusercontent.com/84841307/206271033-7f5e417c-90b5-4104-a585-a4d500d7e3e0.png"> At the bottom of the page you should get the options to view the key: <img width="760" alt="Screenshot 2022-12-07 at 19 47 33" src="https://user-images.githubusercontent.com/84841307/206271279-fffbefce-55e4-47c6-8cc1-740c99406f34.png"> Enter your password at the following screen, and get your api key <img width="523" alt="Screenshot 2022-12-07 at 19 47 02" src="https://user-images.githubusercontent.com/84841307/206271678-0634b9de-16bc-4833-a034-07497a07cf59.png"> Then export the `client` and client secret values as `BW_CLIENTID` and `BW_CLIENTSECRET`. ```bash bw login --apikey You are logged in! To unlock your vault, use the `unlock` command. ex: $ bw unlock ```
❤️ 1 🚀 1
jessebot commented 2022-12-07 19:16:05 +00:00 (Migrated from github.com)
Copy link

Amazing writeup, thank you! :D

Amazing writeup, thank you! :D
cloudymax commented 2022-12-07 19:21:18 +00:00 (Migrated from github.com)
Copy link

Amazing writeup, thank you! :D

no problem! 🥳

> Amazing writeup, thank you! :D no problem! 🥳
jessebot commented 2022-12-24 13:35:47 +00:00 (Migrated from github.com)
Copy link

Checked and it looks like even with the api key, you still need to enter in the password to unlock the vault. I don't knoow that we're gaining anything by introducing the API key :(

Unlock

Using an API key or SSO to log in will require you to follow-up the login command with an explicit bw unlock if you'll be working with vault data directly.

Unlocking your vault generates a session key which acts as a decryption key used to interact with data in your vault. The session key must be used to perform any command that touches vault data (for example, list, get, edit). Session keys are valid until invalidated using bw lock or bw logout, however they will not persist if you open a new terminal window. Generate a new session key at any time using:

bw unlock

When you're finished, always end your session using the bw lock command.

Unlock options

You can use the --passwordenv or --passwordfile options with bw unlock to retrieve your master password rather than enter it manually

Source: https://bitwarden.com/help/cli/#unlock

Checked and it looks like even with the api key, you still need to enter in the password to unlock the vault. I don't knoow that we're gaining anything by introducing the API key :( > ## Unlock > > Using an [API key](https://bitwarden.com/help/cli/#using-an-api-key) or [SSO](https://bitwarden.com/help/cli/#using-sso) to log in will require you to follow-up the login command with an explicit bw unlock if you'll be working with vault data directly. > > Unlocking your vault generates a session key which acts as a decryption key used to interact with data in your vault. The [session key must be used](https://bitwarden.com/help/cli/#using-a-session-key) to perform any command that touches vault data (for example, list, get, edit). Session keys are valid until invalidated using bw lock or bw logout, however they will not persist if you open a new terminal window. Generate a new session key at any time using: > ``` > bw unlock >``` > When you're finished, always end your session using the bw lock command. > > ### Unlock options > > You can use the --passwordenv <passwordenv> or --passwordfile <passwordfile> options with bw unlock to retrieve your master password rather than enter it manually Source: https://bitwarden.com/help/cli/#unlock
jessebot commented 2022-12-24 13:57:44 +00:00 (Migrated from github.com)
Copy link

Well, it's hacky, but we can maybe suggest local users use libsecret to grab their bitwarden password and then export that in their shell on login, and then that can be used to unlock the vault. So, going back to the default option for this ticket: We should check local env vars for password. More importantly, it might make sense to add a "add to vault command" option, where we can add things to your vault of any password manager of your choice, but this would still require the user to know that they need to export certain env variables ahead of time to have the vault command work 🤔

I hate this for us. D: I wish that the API key actually worked like a normal API key and didn't still require the password key. This feels like it just adds complexity and no extra security, because you can't even set "require api key".

Well, it's hacky, but we can maybe suggest local users use [libsecret](https://gitlab.gnome.org/GNOME/libsecret) to grab their bitwarden password and then export that in their shell on login, and then that can be used to unlock the vault. So, going back to the default option for this ticket: We should check local env vars for password. More importantly, it might make sense to add a "add to vault command" option, where we can add things to your vault of any password manager of your choice, but this would still require the user to know that they need to export certain env variables ahead of time to have the vault command work 🤔 I hate this for us. D: I wish that the API key actually worked like a normal API key and didn't still require the password key. This feels like it just adds complexity and no extra security, because you can't even set "require api key".
jessebot commented 2023-01-08 09:53:35 +00:00 (Migrated from github.com)
Copy link

Reopening because although we now check for session tokens in the env vars, we do not accept API keys yet.

Reopening because although we now check for session tokens in the env vars, we do not accept API keys yet.
jessebot commented 2023-01-08 09:59:24 +00:00 (Migrated from github.com)
Copy link

#45 is semi related to this.

#45 is semi related to this.
jessebot commented 2023-01-08 10:01:25 +00:00 (Migrated from github.com)
Copy link

I guess if the user is not logged in already, we could potentially try logging in via an api key, but after that, I am closing this ticket, because this is a lot to handle for the scope of this project currently.

I guess if the user is not logged in already, we could potentially try logging in via an api key, but after that, I am closing this ticket, because this is a lot to handle for the scope of this project currently.
jessebot commented 2023-08-12 15:44:03 +00:00 (Migrated from github.com)
Copy link

Ok, we will now check local env vars not only for a password but also the api key in #79 Closing and we can handle local keyring in #45

Ok, we will now check local env vars not only for a password but also the api key in #79 Closing and we can handle local keyring in #45
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
go-rewrite
grafana-fixes
gh-pages
cloudymax-patch-1
add-unified-installer
feature/add-pixelfed-app
renovate/textual-1.x
renovate/python-3.x
support-open-bao
update-ingress-nginx
nginx-metrics
v7.0.0b2
v7.0.0b1
v7.0.0a
v6.4.8
v6.4.7
v6.4.6
v6.4.5
v6.4.4
v6.4.3
v6.4.2
v6.4.1
v6.4.0
v6.3.1
v6.3.0
v6.2.0
v6.1.0
v6.0.0
v5.20.4
5.20.3
v5.20.3
v5.20.2
v5.20.1
v5.20.0
v5.19.2
v5.19.1
v5.19.0
v5.18.0
v5.17.4
v5.17.3
v5.17.2
v5.17.1
v5.17.0
v5.16.0
v5.15.0
v5.14.1
v5.14.0
v5.13.3
v5.13.2
v5.13.1
v5.13.0
before-hookshot-removal
v5.12.0
v5.11.0
v5.10.0
v5.9.2
v5.9.1
v5.9.0
v5.8.4
v5.8.3
v5.8.2
v5.8.1
v5.8.0
v5.7.0
v5.6.2
v5.6.1
v5.6.0
v5.5.1
v5.5.0
v5.4.3
v5.4.2
v5.4.1
v5.4.0
v5.3.2
v5.3.1
v5.3.0
v5.2.6
v5.2.5
v5.2.4
v5.2.3
v5.2.2
v5.2.1
v5.2.0
v5.1.0
v5.0.4
v5.0.3
v5.0.2
v5.0.1
v5.0.0
v4.0.2
v4.0.1
v4.0.0
v3.7.1
v3.7.0
v3.6.4
v3.6.3
v3.6.2
v3.6.1
v3.6.0
v3.5.1
v3.5.0
v3.4.0
v3.3.0
v3.2.2
v3.2.1
v3.2.0
v3.1.0
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.0
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v2.0.0b8
v2.0.0b7
v2.0.0b6
v2.0.0b4
v2.0.0b3
v2.0.0b2
v2.0.0b1
v2.0.0a4
v2.0.0a3
v2.0.0a2
v2.0.0a1
v2.0.0a
v1.0.1
v1.0.0
v0.11.2
v0.11.1
v0.11.0
v0.10.14
v0.10.13
v0.10.12
v0.10.11
v0.10.10
v0.10.9
v0.10.8
v0.10.7
v0.10.6
v0.10.5
v0.10.4
v0.10.3
v0.10.2
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.16
v0.8.15
v0.8.14
v0.8.13
v0.8.12
v0.8.11
v0.8.10
v0.8.9
v0.8.8
v0.8.7
v0.8.6
v0.8.5
v0.8.4
v0.8.3
v0.8.2
v0.7.3
v0.8.1
v0.8.0
v0.7.2
v0.7.1
stable
v0.7.0
v0.6.0
v0.5.0
Labels
Clear labels   
🐛 bug

Something isn't working

  
DO THE THING >:(

very important thing

  
blocked

   
dependencies

Pull requests that update a dependency file

  
k3s

   
kind

   
openbao

   
question

Further information is requested

  
secrets

   
wontfix

This will not be worked on

  
enhancement

New feature request

  
🌱good first issue

Good for newcomers

  
📓documentation

Improvements or additions to documentation

  
📕kyverno

everything to do with kyverno, a policy manager for kubernetes

  
🔐 Bitwarden

anything to do with bitwarden

  
🙋help wanted

Extra attention is needed

  
🦩 MinIO

things to do with object store via minio or minio itself

  
🧸 🧸 Duplicate

This issue or pull request already exists

  
🩹 Bug Fix

   
🪠 CICD

Anything to do with continuous integration/continuous deployment pipelines.

No labels
🐛 bug
DO THE THING >:(
blocked
dependencies
k3s
kind
openbao
question
secrets
wontfix
enhancement
🌱good first issue
📓documentation
📕kyverno
🔐 Bitwarden
🙋help wanted
🦩 MinIO
🧸 🧸 Duplicate
🩹 Bug Fix
🪠 CICD
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
small-hack/smol-k8s-lab#11
No description provided.