Hide secrets from output
42 views
Skip to first unread message
Trond Hindenes
Mar 24, 2018, 4:14:02 AM3/24/18
to Ansible Project
As far as I can see, some modules implement a special "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER" for some attributes, which cause them to be hidden from output, which is great.
However, I'd like to control this outside of modules. A use case is for example a playbook doing things:
- name: Get AWS credentials
set_fact:
aws_creds: "{{ lookup('passwordstate', aws_iam_ansible_passwordstate_id) }}"
- name: Grab username and password from creds
set_fact:
aws_access_key: "{{ aws_creds['username'] }}"
aws_secret_key: "{{ aws_creds['password'] }}"
I want to be able to flag parameters as "globally hidden", not just as module outputs. I know I can use no_log, but that would hide _all_ output from a step, which makes it hard to troubleshoot stuff (this is what we're doing today, and having to temporarily turn off the no_log flag when troubleshooting is a headache.
Is there anyway to (for example) set ansible.cfg to always hide the value of variables called aws_access_key, regardless of playbook/play/task/role?
Tony Chia
Mar 24, 2018, 5:17:07 PM3/24/18
to Ansible Project
You can use a custom callback plugin to mask the password. An example can be found at https://serverfault.com/questions/754860/how-can-i-reduce-the-verbosity-of-certain-ansible-tasks-to-not-leak-passwords-in/897480#897480?newreg=03468dbbc6174dbc9d04455112ec29a7
Trond Hindenes
Mar 24, 2018, 5:26:32 PM3/24/18
to Ansible Project
Thanks,
I'll do that!
Reply all
Reply to author
Forward
0 new messages