This package is a Varlock plugin that enables loading data from Bitwarden Secrets Manager into your configuration.
- Zero-config authentication - Just provide your machine account access token
- UUID-based secret access - Fetch secrets by their unique identifiers
- Organization support - Optional organization ID for filtering and management
- Self-hosted Bitwarden support - Configure custom API and identity URLs
- Multiple instances - Connect to different organizations or self-hosted instances
- Comprehensive error handling with helpful tips
If you are in a JavaScript based project and have a package.json file, you can either install the plugin explicitly
npm install @varlock/bitwarden-pluginAnd then register the plugin without any version number
# @plugin(@varlock/bitwarden-plugin)
Otherwise just set the explicit version number when you register it
# @plugin(@varlock/bitwarden-plugin@1.2.3)
See our Plugin Guide for more details.
After registering the plugin, you must initialize it with the @initBitwarden root decorator.
For most use cases, you only need to provide the access token:
# @plugin(@varlock/bitwarden-plugin)
# @initBitwarden(accessToken=$BITWARDEN_ACCESS_TOKEN)
# ---
# @type=bitwardenAccessToken @sensitive
BITWARDEN_ACCESS_TOKEN=
How to get an access token:
- Navigate to your Bitwarden organization's Secrets Manager
- Go to Machine accounts → Create a new machine account
- Copy the Access token (displayed only once!)
- Grant the machine account access to the secrets or projects you need
For self-hosted Bitwarden instances, you'll need to provide both URLs:
# @initBitwarden(
# accessToken=$BITWARDEN_ACCESS_TOKEN,
# apiUrl="https://bitwarden.yourcompany.com/api",
# identityUrl="https://bitwarden.yourcompany.com/identity"
# )
apiUrl- API URL for your self-hosted instance (e.g., "https://bitwarden.yourcompany.com/api")identityUrl- Identity service URL for your self-hosted instance (e.g., "https://bitwarden.yourcompany.com/identity")
If you need to connect to multiple organizations or instances, register multiple named instances:
# @initBitwarden(id=prod, accessToken=$PROD_ACCESS_TOKEN)
# @initBitwarden(id=dev, accessToken=$DEV_ACCESS_TOKEN)
This plugin introduces the bitwarden() function to fetch secret values.
# @plugin(@varlock/bitwarden-plugin)
# @initBitwarden(accessToken=$BITWARDEN_ACCESS_TOKEN)
# ---
# @type=bitwardenAccessToken @sensitive
BITWARDEN_ACCESS_TOKEN=
# Fetch secrets by UUID
DATABASE_URL=bitwarden("12345678-1234-1234-1234-123456789abc")
API_KEY=bitwarden("87654321-4321-4321-4321-cba987654321")
# If using multiple instances
PROD_SECRET=bitwarden(prod, "11111111-1111-1111-1111-111111111111")
DEV_SECRET=bitwarden(dev, "22222222-2222-2222-2222-222222222222")
To find a secret's UUID:
- Open your Bitwarden Secrets Manager
- Navigate to the secret
- Copy the UUID from the URL or secret details (format:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
Initialize a Bitwarden Secrets Manager plugin instance.
Parameters:
accessToken: string(required) - Machine account access tokenapiUrl?: string- API URL for self-hosted Bitwarden (defaults tohttps://api.bitwarden.com)identityUrl?: string- Identity service URL for self-hosted Bitwarden (defaults tohttps://identity.bitwarden.com)cacheTtl?: string | number- Cache resolved values frombitwarden()for the provided TTL ("5m","1h","1d", or"forever"to cache until manually cleared); set tofalse(or an empty string) to disable cachingid?: string- Instance identifier for multiple instances (defaults to_default)
Fetch a secret from Bitwarden Secrets Manager.
Signatures:
bitwarden(secretId)- Fetch by secret UUID from default instancebitwarden(instanceId, secretId)- Fetch from a specific instance
Secret ID Format:
- Must be a valid UUID:
"12345678-1234-1234-1234-123456789abc"
bitwardenAccessToken- Machine account access token (sensitive)bitwardenSecretId- Secret UUID (validated format)bitwardenOrganizationId- Organization UUID (validated format)
Machine accounts provide programmatic access to Bitwarden Secrets Manager.
Using the Web Vault:
- Log in to your Bitwarden organization
- Navigate to Secrets Manager → Machine accounts
- Click New machine account
- Provide a name (e.g., "Production App")
- Copy the Access token (shown only once!)
- Grant access to specific projects or secrets
Permission Levels:
- Can read - Retrieve secrets only
- Can read, write - Retrieve, create, and edit secrets
Important: Store the access token securely - it will only be displayed once!
Via Projects:
- Create or select a project in Secrets Manager
- Add secrets to the project
- Grant your machine account access to the project
Direct Secret Access:
- Navigate to a specific secret
- Click Access
- Add your machine account with appropriate permissions
# Via Bitwarden CLI
bw org list
# Or check your organization's URL
https://vault.bitwarden.com/#/organizations/{organization-id}- Verify the secret UUID is correct (must be valid UUID format)
- Check that the secret exists in your Bitwarden Secrets Manager
- Ensure your machine account has access to the secret or its project
- Verify your machine account has "Can read" or "Can read, write" permissions
- Check that the machine account has access to the specific secret
- Review the access settings in Bitwarden Secrets Manager console
- Verify the access token is correct
- Check if the access token has been revoked or expired
- Ensure the machine account is not disabled
- For self-hosted: verify apiUrl and identityUrl are correct
- Secret IDs must be valid UUIDs:
12345678-1234-1234-1234-123456789abc - Check for typos or incorrect format
- UUIDs should contain 32 hexadecimal characters and 4 hyphens