bw get: Read a Secret from Bitwarden CLI
bw get returns a single object from your Bitwarden vault, such as the password field of an item by name or ID.
The Bitwarden CLI (bw) exposes the vault to scripts once it is authenticated and unlocked. bw get is how you pull one value; the vault must be unlocked and a session key provided.
What it does
bw get fetches an object of the given type (password, username, item, notes, uri) identified by a search term or ID, and prints the value. It requires the vault to be unlocked, which yields a session key.
Common usage
export BW_SESSION="$(bw unlock --raw --passwordenv BW_PASSWORD)"
bw get password "deploy-token"
bw get item "deploy-token" | jq -r '.login.password'Options
| Argument | What it does |
|---|---|
| password|username|item|notes|uri | Object type to retrieve |
| <search|id> | Item name to search or an item ID |
| --session <key> | Session key (or set BW_SESSION) |
| --raw | Output the raw value with no formatting |
In CI
Authenticate with an API key (BW_CLIENTID/BW_CLIENTSECRET) via bw login --apikey, then bw unlock to get a session, and export BW_SESSION for subsequent commands. Run bw sync first if the vault may be stale. Do not echo the retrieved value; pipe it directly.
Common errors in CI
"You are not logged in." means bw login has not run (use --apikey with BW_CLIENTID/BW_CLIENTSECRET). "Vault is locked." means no valid session; run bw unlock and export BW_SESSION. "More than one result was found." means an ambiguous search term; use the exact item ID instead.