Secrets ManagerIntegrations

GitLab CI/CD

Bitwarden provides a way to inject secrets into your GitLab CI/CD pipelines using the Bitwarden Secrets Manager CLI. This allows your to securely store and use secrets in your CI/CD workflows. To get started:

Save an access token

In this step, we're going to save an access token as a GitLab CI/CD variable. This token will be used to authenticate with the Bitwarden Secrets Manager API and retrieve secrets.

  1. In GitLab, navigate to your project's Settings > CI/CD page.

  2. Select Expand in the Variables section.

  3. Select Add variable.

  4. Check the Mask variable flag.

  5. Name the key BWS_ACCESS_TOKEN. This is the variable that the Secrets Manager CLI looks for to authenticate. Alternatively, if you need to name the key something else, specify --access-token NAME_OF_VAR on the bws secret get line later.

  6. In another tab, open the Secrets Manager web app and create an access token.

  7. Back in GitLab, paste the newly-created access token into the Value field.

  8. Select Add variable to save.

Add a variable in GitLab
Add a variable in GitLab

Add to your workflow file

Next, we're going to write a rudimentary GitLab CI/CD workflow. Create a file called .gitlab-ci.yml in the root of your repository with the following contents:

stages: - default_runner image: ubuntu build: stage: default_runner script: - | # install bws apt-get update && apt-get install -y curl git jq unzip export BWS_VER="$( curl -s | \ jq -r '.tag_name' | sed 's/bws-v//' )" curl -LO \ "$BWS_VER/bws-x86_64-unknown-linux-gnu-$" unzip -o bws-x86_64-unknown-linux-gnu-$ -d /usr/local/bin # secrets to retrieve secret_ids=( "534cc788-a143-4743-94f5-afdb00a40a41" "9a0b500c-cb3a-42b2-aaa2-afdb00a41daa" ) # export secrets as environment variables for secret_id in "${secret_ids[@]}"; do secret="$(bws secret get "$secret_id")" secret_key="$(echo "$secret" | jq -r '.key')" secret_value="$(echo "$secret" | jq -r '.value')" export "$secret_key"="$secret_value" done # run the command that requires secrets - npm run start


  • BWS_VER is the version of the Bitwarden Secrets Manager CLI to install. Here, we are automatically getting the latest version. You can pin the version being installed by changing this to a specific version, for example BWS_VER="0.3.1".

  • 534cc788-a143-4743-94f5-afdb00a40a41 and 9a0b500c-cb3a-42b2-aaa2-afdb00a41daa are reference identifiers for secrets stored in Secrets Manager. The machine account that your access token belongs to must be able to access these specific secrets.

  • npm run start is the command that expects the secret values that are retrieved by bws. Replace this with the relevant commands for running your project.


Secrets are stored as environment variables. It is important to avoid running commands that would output these secrets to the logs.

Run the CI/CD pipeline

On the left, select Build > Pipelines and select Run pipeline at the top-right of the pace. Select Run pipeline on the page to run the newly-created pipeline.

Make a suggestion to this page

Contact Our Support Team

For technical, billing, and product questions.

Bitwarden account email*
Verify account email*
Are you self-hosting?*

Cloud Status

Check status

© 2024 Bitwarden, Inc. Terms Privacy Cookie Settings Sitemap

This site is available in English.
Go to EnglishStay Here