Service Accounts
Service accounts represent non-human machine users, like applications or deployment pipelines, that require programmatic access to a discrete set of secrets. Service accounts are used to:
Appropriately scope the selection of secrets a machine user has access to.
Issue access tokens to facilitate programmatic access to, and the ability to decrypt, edit, and create secrets.
Secrets that your user account has access to are listed in the primary Secrets Manager view as well as by selecting Service accounts from the navigation:
Opening a service account will list the Secrets and People the service account has access to, as well as any generated Access tokens:
On your organization's Subscription page you are able to assign the number of service accounts available for use in your organization. For additional information regarding your available service accounts, and service account scaling, see here.
To create a new service account:
Use the New dropdown to select Service account:
![New service account]()
New service account Enter a Service account name and select Save.
Open the service account and, in the Projects tab, type or select the name of the project(s) that this service account should be able to access. For each added project, select a level of Permissions:
Can read: Service account can retrieve secrets from assigned projects.
Can read, write: Service account can retrieve and edit secrets from assigned projects, create new secrets in assigned projects, or create new projects altogether.
tip
Fully utilizing write access for service accounts is dependent on a forthcoming CLI release. For now, this simply makes the option available in the UI. Stay tuned to the Release Notes for more information.
Adding organization members to a service account will allow those people to generate access tokens for the service account and interact with all secrets the service account has access to. To add people to your service account:
In the service account, select the People tab.
From the people dropdown, type or select the members or groups to add to the project. Once you've selected the right people, select the Add button:
![Add people to a service account]()
Add people to a service account
Adding projects to a service account will allow programmatic access to included secrets using access tokens. You can add both new and existing projects to a service account:
To add existing projects to your service account:
In the service account, select the Projects tab.
From the Projects dropdown, type or select the project(s) to add to the service account. Once you've chosen the right projects, select the Add button:
![Add a project]()
Add a project Open the service account and, in the Projects tab, type or select the name of the project(s) that this service account should be able to access. For each added project, select a level of Permissions:
Can read: Service account can retrieve secrets from assigned projects.
Can read, write: Service account can retrieve and edit secrets from assigned projects, as well as create new secrets in assigned projects or create new projects.
To add a new service account for this project:
Use the New dropdown to select Service account:
![New service account]()
New service account Enter a Service account name and select Save.
Open the service account and, in the Projects section, use the dropdown to type or select the project(s) to add to the service account. Once you've chosen the right projects, select the Add button:
![Add a project]()
Add a project Open the service account and, in the Projects tab, type or select the name of the project(s) that this service account should be able to access. For each added project, select a level of Permissions:
Can read: Service account can retrieve secrets from assigned projects.
Can read, write: Service account can retrieve and edit secrets from assigned projects, as well as create new secrets in assigned projects or create new projects.
To delete a service account, use the () options menu for the service account to delete to select Delete service account. Deleting a service account will not delete the secrets associated with it. Service accounts are fully removed once deleted and do not get sent to the trash like secrets do.
Timestamped records of actions taken with each service account are available from the service account's Event logs tab:
Any user that has access to a given service account will be able to view events for that service account. Events that are captured include:
Accessed secret secret-identifier. (
2100)
備考
Each Event is associated with type code (1000, 1001, etc.) that identifies the action captured by the event. Type codes are used by the Bitwarden Public API to identify the action documented by an event.
Event logs are exportable and are retained indefinitely. Exporting events will create a .csv of all events within the specified date range, which should not exceed 367 days.