How to: BitWarden get password

Get Help
1

Hello again!

I have bitwarden here and like to get the passwords for for example an sql root pw and use it to create an user in sql I have the bitwaden cli at the bitwarden server installed and can unlock the vault and i have an user for the playbooks to unlock the vault, but when i add the bw server in the playbooks, the extracted password is only usable on this host so how could i get the password from the bitwarden to the other servers?

And theres an officiall ansible galaxy plugin, but uptil now i never got 100% how to add those in an awx installation.

Thank you again!

2

You need to add it to your requirements.yml file in your project

this can be something like:

collections:
 - name: community.vmware
 - name: bitwarden.secrets
- name: community.mysql

With this in your requirements awx will pick up this file and install the requirement collection.

Notice also the python dependencies that are required these you should add in your python requirements file.

Further your can consult the example of the playbook they have posted in the readme file.
https://galaxy.ansible.com/ui/repo/published/bitwarden/secrets/docs/

3

okay - i make an test project and already have thisrequirementsyml

---
collections:
  # Install a collection from Ansible Galaxy.
  - name: bitwarden.secrets
    version: "1.0.1"
    source: https://galaxy.ansible.com
4

I tried using community.general.bitwarden
I unlocked the bitwarden tresor at the host and my playbook failes:
PB:

---
- name: Retrieve Bitwarden password test
  hosts: all
  gather_facts: false
  become: true
  tasks:
    - name: Get 'password' from Bitwarden record 'madtest'
      ansible.builtin.debug:
        msg: "{{ lookup('community.general.bitwarden', 'madtest', field='password') }}"

I created a new inventory Bitwarden with just the bitwarden server in it.
Log

Enter passphrase for /runner/artifacts/8319/ssh_key_data: 
Identity added: /runner/artifacts/8319/ssh_key_data (/runner/artifacts/8319/ssh_key_data)
ansible-playbook [core 2.15.12]
  config file = None
  configured module search path = ['/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /runner/requirements_collections:/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.9.20 (main, Sep  9 2024, 00:00:00) [GCC 11.5.0 20240719 (Red Hat 11.5.0-2)] (/usr/bin/python3)
  jinja version = 3.1.4
  libyaml = True
No config file found; using defaults
host_list declined parsing /runner/inventory/hosts as it did not pass its verify_file() method
Parsed /runner/inventory/hosts inventory source with script plugin
Skipping callback 'awx_display', as we already have a stdout callback.
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: bw_envtest.yaml ******************************************************
1 plays in zzz_testplaybooks_and_archive/bwtest/bw_envtest.yaml

PLAY [Retrieve Bitwarden password test] ****************************************

TASK [Get 'password' from Bitwarden record 'madtest'] **************************
task path: /runner/project/zzz_testplaybooks_and_archive/bwtest/bw_envtest.yaml:7
exception during Jinja2 execution: Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/ansible/template/__init__.py", line 879, in _lookup
    ran = instance.run(loop_terms, variables=self._available_variables, **kwargs)
  File "/usr/share/ansible/collections/ansible_collections/community/general/plugins/lookup/bitwarden.py", line 225, in run
    if not _bitwarden.unlocked:
  File "/usr/share/ansible/collections/ansible_collections/community/general/plugins/lookup/bitwarden.py", line 132, in unlocked
    out, err = self._run(['status'], stdin="")
  File "/usr/share/ansible/collections/ansible_collections/community/general/plugins/lookup/bitwarden.py", line 140, in _run
    p = Popen([self.cli_path] + args, stdout=PIPE, stderr=PIPE, stdin=PIPE)
  File "/usr/lib64/python3.9/subprocess.py", line 951, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/usr/lib64/python3.9/subprocess.py", line 1837, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'bw'
fatal: [www43]: FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'community.general.bitwarden'. Error was a <class 'FileNotFoundError'>, original message: [Errno 2] No such file or directory: 'bw'. [Errno 2] No such file or directory: 'bw'"
}

PLAY RECAP *********************************************************************
www43                      : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

fo me the error doesnt make any sense.

I canntot use the ansible galaxy version, becsaue i need an certain addon for bitwarden to generate some sort of keys(secret manager)
It didnt sem to me i needed anything for the community version?
I dont hink so i found this guide from the git and i logged in as the serviceuser, and unlocked the tresor and added the env shown when i unlocked the thresor(bw login, bw unlock,export BW_SESSION=“mysessionkey==” ) and when i use env i see the correct key and then i executed the playbook i designed after the first exampe from the git guide.

5

I get the same error when i use a playbook with sessionkey:

---
- name: Retrieve Bitwarden password test
  hosts: all
  gather_facts: false
  become: true
  vars:
    bitwarden_record_name: "nagivis"
    bitwarden_session_key: "mykey+1h53+AtQ21bF0CEJB8tB3cYe1dPEA3dVTGMLGsg=="
  tasks:
    - name: "Get 'password' from all Bitwarden records named '{{ bitwarden_record_name }}'"
      ansible.builtin.debug:
        msg: "{{ lookup('community.general.bitwarden', bitwarden_record_name, field='password', bw_session=bitwarden_session_key) }}"
6

The lookup tries to execute the bw command line tool, which it apparently cannot find. The plugin expects the binary in the regular search path.

7

Yeah i got this in an diffrent issue in stachoverflow where there was a guy who waned to execute an command wth the command module: for example “rn test1 test2” and got the same error and needed to changed the command to “/path/to/rn test1 test2”.

But in the syntax for this module i dont even have to use the bw command - it gets converted in the moule - do you think it is a good enough reason to gerate an issue in the community Git?
I cannot find any alternative docus or videos for this module.

I think this part is setting the path of the cli which is wrong

I droped the module in an python “KI” check and it seems the module canntt find the correct bw cli path fom the server when initializing, the bot says the bw is just an value that gets set, when the correct path was not found.

module git

8

i think i need to add the requirements mentioned in an execution enviroment for awx

9

I Created an custom ee and get now:

 "msg": "An unhandled exception occurred while running the lookup plugin 'community.general.bitwarden'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Bitwarden Vault locked. Run 'bw unlock'.. Bitwarden Vault locked. Run 'bw unlock'."

The error is persistent even with this playbook:

- name: Retrieve Bitwarden password test
  hosts: all
  gather_facts: true
  become: true

  tasks:
    - name: Display bw_usr variable
      ansible.builtin.debug:
        msg: "Bitwarden user: {{ bw_usr }}"

    - name: Unlock Bitwarden vault
      ansible.builtin.command:
        cmd: "bw unlock '{{ bw_pw }}'"
      register: bw_unlock
      ignore_errors: no  # Ensure the play stops if unlocking fails

    - name: Check if Bitwarden unlock was successful
      ansible.builtin.debug:
        msg: "Bitwarden unlocked successfully."
      when: bw_unlock.rc == 0  # Show message only if unlock succeeded

    - name: "Get 'password' from all Bitwarden records named 'nagivis'"
      ansible.builtin.debug:
        msg: >-
          {{ lookup('community.general.bitwarden', 'nagivis', field='password') }}