PDR Crawler — Bitwarden Secrets Manager Setup
Machine account: secops-pipeline-crawler
Org: Pacific Debt Relief
Machine Account
Create a dedicated machine account in Bitwarden Secrets Manager:
- Name:
secops-pipeline-crawler - Purpose: Monthly infrastructure crawl — Azure Automation runbook
- Owner: Max Simon (Director IT Ops)
- Access: Read-only on
pdr-infra-crawlersecrets project
Secrets Project
Create a project in Bitwarden Secrets Manager: pdr-infra-crawler
Add the following secrets:
| Secret Name | Description | Rotation |
|---|---|---|
TENANT_ID | Azure AD tenant ID | Never |
CLIENT_ID | SecOps-Pipeline-ReadOnly app reg client ID | Never |
CLIENT_SECRET | App reg client secret | 90 days |
BLOB_CONNECTION_STRING | Azure Storage connection string for pdr-crawler | 90 days |
ZENDESK_EMAIL | Zendesk agent email for API auth | Never |
ZENDESK_API_TOKEN | Zendesk API token | 90 days |
ZENDESK_JUAN_ID | Juan's Zendesk user ID (integer) | Never |
SLACK_BOT_TOKEN | Bot OAuth token (xoxb-...) for #secops-pipeline | Never |
SLACK_CHANNEL_ID | Target Slack channel ID | Never |
ANTHROPIC_API_KEY | Anthropic API key for AI analysis | 90 days |
Getting Juan's Zendesk User ID
curl https://pacificdebt.zendesk.com/api/v2/users/search.json?query=juan \
-u "your-email@pacificdebt.com/token:YOUR_API_TOKEN"Pull the id field from the response for Juan's account.
Getting the Slack Webhook URL
- Go to api.slack.com/apps
- Select SecOps-Pipeline app
- Incoming Webhooks → Add New Webhook to Workspace
- Select
#secops-pipelinechannel - Copy the webhook URL → store in Bitwarden as
SLACK_WEBHOOK_URL
Getting the Blob Connection String
az storage account show-connection-string `
--name pdrcrawlerblob `
--resource-group rg-secops-pipeline `
--query connectionString `
--output tsvStore the full connection string in Bitwarden as BLOB_CONNECTION_STRING.
Rotation Schedule
90-day secrets must be rotated quarterly. Calendar reminders are mandatory — expired
secrets cause silent failures in scheduled runbooks.
| Secret | Rotation Action | Owner |
|---|---|---|
CLIENT_SECRET | Rotate in Azure AD app registrations → update Bitwarden + AA variable | Max |
BLOB_CONNECTION_STRING | Regenerate storage key → update Bitwarden + AA variable | Juan |
ZENDESK_API_TOKEN | Regenerate in Zendesk admin → update Bitwarden + AA variable | Juan |
ANTHROPIC_API_KEY | Regenerate in Anthropic console → update Bitwarden + AA variable | Max |
After each rotation: verify the old credential is dead (expect 401/403), then confirm
the runbook executes successfully on next scheduled run or via manual trigger.
Source: secops-pipeline/runbooks/bitwarden_setup.md | Last synced: 2026-03-23T08:24:35Z | Do not edit in Zendesk -- changes will be overwritten on next sync.
Comments
0 comments
Please sign in to leave a comment.