Skip to content

[bws] Unable to update secrets starting with dashes #1266

New issue
New issue
Open
Open
[bws] Unable to update secrets starting with dashes#1266
Labels
bugSomething isn't working
@shanduur

Description

@shanduur
shanduur
opened on Jun 30, 2025

Steps To Reproduce

Run the script below twice.

#!/usr/bin/env bash

set -euo pipefail

# === Config ===
CA_KEY="ca.key"
CA_CERT="ca.crt"
DAYS_VALID=3650
CA_SUBJECT="/C=US/ST=Utah/L=Example/O=example.org/CN=example-root-ca"

# Ensure BWS_PROJECT_ID is set
if [[ -z "${BWS_PROJECT_ID:-}" ]]; then
  echo "ERROR: BWS_PROJECT_ID is not set!"
  exit 1
fi

# === Functions ===

function generate_ca() {
  echo "[*] Generating new CA private key..."
  openssl genrsa -out "${CA_KEY}" 4096

  echo "[*] Generating self-signed CA certificate..."
  openssl req -x509 -new -nodes -key "${CA_KEY}" \
    -sha256 -days "${DAYS_VALID}" -out "${CA_CERT}" \
    -subj "${CA_SUBJECT}"

  echo "[+] CA generation complete: ${CA_CERT}, ${CA_KEY}"
}

function store_secret() {
  local name="$1"
  local file="$2"

  echo "[*] Checking if Bitwarden secret for ${name} exists..."
  local secret_id
  secret_id="$(bws secret list | jq -r --arg key "$name" '.[] | select(.key == $key) | .id')"

  if [[ -z "$secret_id" ]]; then
    echo "[*] Creating new Bitwarden secret: $name"
    bws secret create "$name" -- "$(cat "$file")" "${BWS_PROJECT_ID}"
  else
    echo "[*] Updating existing Bitwarden secret: $name"
    bws secret edit \
      --key "$name" \
      --value "$(cat "$file")" \
      --project-id "${BWS_PROJECT_ID}" \
      "$secret_id"
  fi
}

# === Main ===

generate_ca
store_secret "ca.crt" "${CA_CERT}"
store_secret "ca.key" "${CA_KEY}"

Expected Result

Updated secret with new ca.crt and ca.key.

Actual Result

./hack/ca-gen.sh
[*] Generating new CA private key...
[*] Generating self-signed CA certificate...
[+] CA generation complete: ca.crt, ca.key
[*] Checking if Bitwarden secret for ca.crt exists...
[*] Updating existing Bitwarden secret: ca.crt
error: unexpected argument '-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----' found

  tip: to pass '-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----' as a value, use '-- -----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----'

Usage: bws secret edit <--key <KEY>|--value <VALUE>|--note <NOTE>|--project-id <PROJECT_ID>> <SECRET_ID|--key <KEY>|--value <VALUE>|--note <NOTE>|--project-id <PROJECT_ID>>

For more information, try '--help'.

After changing to --value -- "$(cat "$file")"

./hack/ca-gen.sh
[*] Generating new CA private key...
[*] Generating self-signed CA certificate...
[+] CA generation complete: ca.crt, ca.key
[*] Checking if Bitwarden secret for ca.crt exists...
[*] Updating existing Bitwarden secret: ca.crt
error: a value is required for '--value <VALUE>' but none was supplied

For more information, try '--help'.

Screenshots or Videos

No response

Additional Context

No response

Operating System

macOS

Operating System Version

15.5

Shell

Zsh

Build Version

bws 0.5.0

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions