Skip to content
Latchkey

bw get: Read a Secret from Bitwarden CLI

bw get returns a single object from your Bitwarden vault, such as the password field of an item by name or ID.

The Bitwarden CLI (bw) exposes the vault to scripts once it is authenticated and unlocked. bw get is how you pull one value; the vault must be unlocked and a session key provided.

What it does

bw get fetches an object of the given type (password, username, item, notes, uri) identified by a search term or ID, and prints the value. It requires the vault to be unlocked, which yields a session key.

Common usage

Terminal
export BW_SESSION="$(bw unlock --raw --passwordenv BW_PASSWORD)"
bw get password "deploy-token"
bw get item "deploy-token" | jq -r '.login.password'

Options

ArgumentWhat it does
password|username|item|notes|uriObject type to retrieve
<search|id>Item name to search or an item ID
--session <key>Session key (or set BW_SESSION)
--rawOutput the raw value with no formatting

In CI

Authenticate with an API key (BW_CLIENTID/BW_CLIENTSECRET) via bw login --apikey, then bw unlock to get a session, and export BW_SESSION for subsequent commands. Run bw sync first if the vault may be stale. Do not echo the retrieved value; pipe it directly.

Common errors in CI

"You are not logged in." means bw login has not run (use --apikey with BW_CLIENTID/BW_CLIENTSECRET). "Vault is locked." means no valid session; run bw unlock and export BW_SESSION. "More than one result was found." means an ambiguous search term; use the exact item ID instead.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →