Use case:

As a developer, I want my CI/CD pipeline to access a secret stored in LastPass, so that I can store and manage secrets in a single place.

Context:

We use LastPass Enterprise to manage passwords for our organization. We chose to store secrets there for the general usability and central control and visibility across all roles in the company.  Most of the entries we store are individual logins and fit nicely into the supported LastPass workflows.

However, we'd like to be able to issue tokens with limited scopes for use by machines or bot users as well. We have some entries (think things one might use in CI/CD pipelines and tokens for other services) which are primarily used by automated processes, but which humans occasionally need to access to rotate them, provide them to a new service which must re-use an existing token, or in a "break glass" manual override scenario. We can use other products (like Vault) to support this use case, but it would be ideal to be able to centralize all of our long-term secrets within one system which is familiar for all of our users.

To that end, we'd like to be able to generate a token for use by the LastPass CLI. This token could ideally be very granularly scoped (providing read-only access to a single entry, for example). The token would then be stored in the CI/CD's secret storage and the "real" secret would be retrieved during the pipeline run.

(An alternative would be to support similarly granular access, but using a third-party identity provider. For example, the way AWS supports authentication based on GitHub identities. However, not all of the services we'd like to use would currently support this method).

Hopefully others will also find value in this use case and we can continue to use LastPass for all types of secrets.