Access tokens are objects that facilitate service account access to, and the ability to decrypt, edit, and create secrets stored in Secrets Manager. Access tokens are issued to a particular service account, and will give any machine they're applied to the ability to access only the secrets associated with that service account.
Access tokens are never stored in Bitwarden databases and cannot be retrieved, so take care to store your access tokens somewhere safe when you generate them. To create an access token:
Select Service accounts from the navigation.
Select the service account to create an access token for, and open the Access tokens tab:
Select the Create access token button.
On the Create Access Token window, provide:
A Name for the token.
When the token Expires. By default, Never.
Select the Create access token button when you're finished configuring the token.
A window will appear printing your access token to the screen. Save your token somewhere safe before closing this window, as your token will not be stored and cannot be retrieved later:
This access token is the authentication vehicle through which you'll be able to script secret injection and editing by your machines and applications.
Access tokens are used for authentication by the Secrets Manager CLI. Once you've created your access token and saved its value somewhere safe, use it to authenticate secret retrieval commands by the CLI for injection into your applications or infrastructure. This could be:
Exporting the access token to a
BWS_ACCESS_TOKENenvironment variable on the host machine. CLI commands like the following will automatically check for a variable with that key for authentication:
bws project get e325ea69-a3ab-4dff-836f-b02e013fe530
-access-tokenoption inline a script written to
getand inject secrets, for example something that includes the lines:
... export DB_PW=$(bws secret get fc3a93f4-2a16-445b-b0c4-aeaf0102f0ff --access-token 0.48c78342-1635-48a6-accd-afbe01336365.C0tMmQqHnAp1h0gL8bngprlPOYutt0:B3h5D+YgLvFiQhWkIq6Bow== | .jq '.value') ... docker run -d database ... -env DB_PW=$DB_PW ... mysql:latest
Using our dedicated GitHub Actions integration to save the access token as a repository secret for use in your workflow files.
At any time, you can revoke an access token. Revoking a token will break the ability of any machines currently using it to retrieve and decrypt secrets. To revoke a token:
Select Service accounts from the navigation, and open the Access tokens tab.
For the access token you want to revoke, use the () options menu to select Revoke access token: