How to securely store your Secrets Manager access tokens with Bash scripting
- Set up Bitwarden Secrets Manager
- Set up the Secrets Manager Command Line
- Storing access tokens with MacOS Keychain
- Create a Keychain item
- Inject access token into Bash script
- Storing access tokens with Linux desktop
- Install GNOME Keyring, libsecret-tool and DBUS
- Inject access token into Bash script
- Start securing your developer pipeline with Bitwarden Secrets Manager
- Blog
- How to securely store your Secrets Manager access tokens with Bash scripting
Bitwarden Secrets Manager and developers are a match made in security heaven — empowering fast moving development and DevOps teams to securely store, manage, and automate sensitive secrets required for deploying software. Programmatic machine access to these sensitive secrets is facilitated via access tokens — granting machines within your ecosystem the ability to decrypt, edit, and create secrets. When developers store these access tokens in unsecured locations, however, they can be leveraged by bad actors attempting to steal sensitive data and access to your business environments.
This guide will demonstrate how to securely store Bitwarden Secrets Manager access tokens and automate the session authentication process with Bash scripting in Linux desktop and MacOS environments.
Before saving an access token with macOS keychain or Linux desktop, let’s configure Secrets Manager with a secret, project, and service account.
To start, open the Bitwarden Secrets Manager web app and create a new project. Projects are the primary way of grouping secrets and assigning access later. Choose a name for the project. For this demonstration, name the project Profile
.
![Secrets Manager new project](https://res.cloudinary.com/bw-com/image/upload/f_auto/v1/ctf/7rncvj1f8mw7/4h8N0pSjWAhIJIH8sFSdpE/3885a7ee223967a82450464830113814/image1.png?_a=BAJFJtWI0)
Next, create a service account. A service account represents non-human machine users that require access to a specific set of secrets. Name the service account CLI ACCESS
.
![Secrets Manager CLI Access](https://res.cloudinary.com/bw-com/image/upload/f_auto/v1/ctf/7rncvj1f8mw7/4ohd7BdoKnZ6e3CpSlJHUu/eaeca6db0c4493b2d3a283804072db44/image2.png?_a=BAJFJtWI0)
Add the service account you just created to the existing project by navigating to the project and selecting the service accounts tab. The service account should have read, write access so that the administrator's Bash profile can properly access it.
From within your service account, generate a new access token by selecting the Access tokens tab. Give the access token a name, set expiration settings, and click New access token. Remember to copy the access token value for later and save it in a safe location; it cannot be retrieved again.
Before you can securely store your access token with MacOs Keychain and Linux desktop for Bash scripting, you must first download the Bitwarden Secrets Manager CLI.
Download the Secrets Manager CLI client from GitHub and install the package on your machine. You can learn more about the Secrets Manager CLI in this help article.
MacOS Keychain is an encrypted container for securely storing various types of confidential information, including Bitwarden Secrets Manager access tokens. More information on macOS Keychain can be found in Apple’s user documentation.
Have the access token that was created in Secrets Manager on hand when following these steps.
Open Keychain on your system and create a new Keychain item.
Name the item BWS_ACCESS_TOKEN
.
In the Account Name field, enter the account you are using on your system. This will determine access to the key and the password required to use the key.
In the password field, input the access token that was previously created in the Secrets Manager GUI.
Once you are finished, select Add.
Now return to the terminal and open .bash_profile
. Insert your access token securely into the .bash_profile
script.
Bashexport BWS_ACCESS_TOKEN="$(security find-generic-password -w -s 'BWS_ACCESS_TOKEN' -a "<Account Name>")"
Save and exit the text editor. Next, source the updated Bash profile to apply changes.
Bash