This DMNO plugin allows you to securely access your secrets stored in Bitwarden Secrets Manager. Please note that this plugin is not compatible with Bitwarden’s Password Manager product. Authentication with Bitwarden uses Machine Account Access Tokens.
Installation & setup
Install the package in the service(s) that will use secrets from Bitwarden.
After installation, you’ll need to initialize the plugin in your config.mts
and add a config item to hold your machine account access token. You can explicitly wire the plugin up to the service account token if using multiple tokens at once, or it will be injected by default based on the BitwardenSecretsManagerTypes.machineAccountAccessToken
type. It’s ok if you have not created the machine account or access token - we’ll do that in the next section.
Setup Project & Secrets
If you are already using Bitwarden Secrets Manager, you likely already have existing projects that contain secrets. If so, now would be a good time to review how they are all organized. If not, you should create at least one project, as each secret can have a parent project it belongs to, and access can be granted to projects rather than managing each secret individually.
Machine account access tokens now serve as your secret-zero - which grants access to the rest of your sensitive config stored in Bitwarden. It must be set locally and in deployed environments, but it is sensitive so we must pass in the value as an override rather than storing it within the config. Locally, this usually means storing it in your .env.local
file and on a deployed environment you’ll usually set it wherever you would normally pass in environment variables. DMNO will handle the rest. See Setting overrides for more details.
Add items to your schema
With the plugin initialized and access wired up, now we must update our config schema to connect specific config values to data stored in Bitwarden secrets.
Items are wired up using the secret UUIDs found in the Bitwarden UI. For example:
Self-hosted
In case you are self-hosting Bitwarden Secrets Manager, the BitwardenSecretsManagerDmnoPlugin
also takes additional inputs for apiServerUrl
and identityServerUrl
. The values for this can be found in the Bitwarden UI under Machine Accounts
> Config
. See the Bitwarden docs for more details.