Question regarding no_log = true
11 views
Skip to first unread message
Thirumalai Raja A
Oct 23, 2023, 9:47:19 AM10/23/23
to ansible...@googlegroups.com
Hi all,
below is my task to run terraform code and vinyl entry for newly created VM on the vsphere Vcenter i have pass my credentials in ansible vault "secrets.yaml" my question is that when i run the playbook in the log i my credentials are visible when i use no_log = true i cant see the log if any error anyone can help me on that how to handle.
| name: Building Windows VM | |
| hosts: localhost | |
| vars: | |
| domain: "xyz.test.com" | |
| vars_files: | |
| - variables/vm_data.yaml | |
| - secrets.yaml | |
| tasks: |
| - name: Build_VM | |
| shell: | | |
| cd terraform_config_files/Windows | |
| terraform apply -var 'vsphere_username={{vsphere_username}}' -var 'vsphere_password={{vsphere_password}}' -var 'domain_admin_username={{domain_admin_username}}' -var 'domain_admin_password={{domain_admin_password}}' -var 'vm_admin_password={{vm_admin_password}}' -auto-approve | |
| register: output | |
| # no_log: true | |
| tags: | |
| - terraform apply | |
| - name: Vinyl entry | |
| shell: vinylcli create-record-set --access-key {{access_key}} --secret-key {{secret_key}} --record-set-name {{vm_name}} --record-set-ip {{vm_ipv4_address}} --domain {{domain}} --ipcontrol-username {{ipcontrol_username}} --ipcontrol-password '{{ipcontrol_password}}' | |
| # no_log: true | |
| tags: | |
| - vinyl_entry |
Brian Coca
Oct 23, 2023, 10:33:33 AM10/23/23
to ansible...@googlegroups.com
Sadly with `shell` it is an "all or nothing" chioce. If there were a specific vinyl action that could flag the specific fields as `no_log`.
Also, in general, passing secrets in the command line is not very secure, as any user on that system that can inspect the process list and arguments can see it.
Environment variables are slightly better, but I don't know enough about vinyl to give you alternatives.--
----------
Brian Coca
Reply all
Reply to author
Forward
0 new messages