ansible_failed_task logs private variables
7 views
Skip to first unread message
Pinknes Einhorn
Jun 13, 2023, 11:03:30 AM6/13/23
to Ansible Development
Hey all,
As example, here's a shortened output of the variable:
"ansible_failed_task": {
For comparisen, the ansible_failed_result variable stores the variable as NO_LOG_PARAMETER as i'd expect
"ansible_failed_result": {
I've been working with error handling during vmware deployment and noticed that Ansible seems to store cleartext passwords in the ansible_failed_tasks variable provided by rescue sections in blocks even tho they've been set to private.
Not sure if this is a bug or intentional behavior( or user error), that's why i wanted to ask if anybody else has experienced this behavior.
Not sure if this is a bug or intentional behavior( or user error), that's why i wanted to ask if anybody else has experienced this behavior.
As example, here's a shortened output of the variable:
"ansible_failed_task": {
"args": {
"provider": {
"password": "password123",
}
}
For comparisen, the ansible_failed_result variable stores the variable as NO_LOG_PARAMETER as i'd expect
"ansible_failed_result": {
"invocation": {
"module_args": {
"provider": {
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
}}}}
Brian Coca
Jun 13, 2023, 11:52:52 AM6/13/23
to Pinknes Einhorn, Ansible Development
There is no concept of 'private variables' in Ansible, we do have
'no_log' for module parameters (or at a task level, but this does not
seem to be this case). The `no_log` at the module level will handle
any returns or log data from the module, but does not affect any
variables that had been fed into it.
--
----------
Brian Coca
'no_log' for module parameters (or at a task level, but this does not
seem to be this case). The `no_log` at the module level will handle
any returns or log data from the module, but does not affect any
variables that had been fed into it.
--
----------
Brian Coca
Reply all
Reply to author
Forward
0 new messages