VaultWarden management - stopping the server being abused

I’m using VaultWarden which seems to work well for me but recently tried adding someone else to the server.

I assumed as I operate the HA server I would be asked for permission to do this or something, or at least have to send an invite out. However, that someone else could just create their vault and put passwords in it. I can find no way to manage the server side of VaultWarden. I know with the “proper” bitwarden home hosting you can turn off the ability for others to create accounts on your instance. Is that possible with Vaultwarden?

Is it possible to run the full version on the HA box (I think it may be running docker underneath anyway?). Or should I just ensure nobody else can find the server to add themselves and hope…

Did you do all the installation steps in the doc here? Specifically these ones:

  1. Check the logs of the “Vaultwarden (Bitwarden)” add-on to see if everything went well and to get the admin token/password.
  2. Click the “OPEN WEB UI” button to open Vaultwarden.
  3. Add /admin to the URL to access the admin panel, e.g., http://hassio.local:7277/admin. Log in using the admin token you got in step 3.

If you did then go to that admin page. That’s where you can do all the access control stuff. I have mine set so that no one can sign up unless they receive an invite link from the admin.

If you did not do those steps then things could get tricky. I don’t believe it will show the admin token ever again after initial startup by design. You might be able to find it by reviewing logs in the past by entering this in the CLI:

ha host logs -t addon_a0d7b954_bitwarden -n 500

-n specifies the number of lines to see. Increase that number to go further into the past. If its too far into the past and the number of lines is getting too huge then can try using this guide:

The syslog identifier you want is addon_a0d7b954_bitwarden. journalctl has options to see logs for a given syslog identifier for a particular date range, probably your best option.

If its still too far into the past or that’s too much work then the alternative is a reinstall of the addon. Export your vault and ask your friend to do the same, uninstall the addon, reinstall it, recreate the users and then have them re-import. And this time save the admin token.

1 Like

And there it is RTFM. Nope completely missed that when I was installing and even though it was less than a week ago long gone in the logs. I uninstalled and reinstalled and set it up properly this time.

Thanks for the help.