Ansible vault logs sensitive information when verbose
227 views
Skip to first unread message
James Morgan
Feb 9, 2015, 1:20:52 PM2/9/15
to ansible...@googlegroups.com
Hi,
I have some sensitive data (keys and pass files etc) stored in yaml var files and encrypted with the vault.
Just noticed that if I have -v set it prints out the contents when I import the var files.
I would have expected the facts to know that the file its loading was from the vault and the contents should not be logged
TASK: [user-builder | Add builder public key to authorized_keys for deployment of code to jump servers] ***
changed: [localhost] => (item=ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3ed3cnj1HNPS60Hazeilt3yA8Doljw+zlhlDsvd30k3pPkmudlD+ZNNEoo2hNluUVZnlQX+ej9qUpz/uTK8cx9o5MgcyWIpJRAhsm2DKjjQxGQxiNyi3cAAAAB3NzaC1yc2EAAAABIwAAAQEA3ed3cnj1HNkmudlD+ZNNEoo2hNluUVZnlQX+ej9qUpz/uTK8cx9o5MgcyWIpJRAhsm2DKjjQxGQxiNyi3ccAruWODdu8/9+VzWLEHsOH3GnSTsJ2+ULTvvhnjDAjeTwiPC05pwgZbdgg+nuvVV7q919v8n/1NNUVY9Kw3RUGHq36MoyvYwzb6hA5UoN/3MjqoXGn", "key_options": null, "keyfile": "....../builder/.ssh/authorized_keys", "manage_dir": true, "path": null, "state": "present", "unique": false, "user": "builder"}
Thanks
James
James Cammarata
Feb 9, 2015, 11:30:15 PM2/9/15
to ansible...@googlegroups.com
Hi James,
Could you open a github issue for this so we can keep track of it? In the mean time, you can use the `no_log: yes` option on a per-task basis to ensure sensitive information is not logged.
Thanks!
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5c6648fb-6b06-46bc-b4ce-26853d938533%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
James Morgan
Feb 10, 2015, 2:07:23 AM2/10/15
to ansible...@googlegroups.com
Sure will do. Thanks James
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/ZcBOBahsdKE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAMFyvFgmYQ7mjZaZvXTZdgkfEtVE26FZkm3TR4LEszBOuZrbXA%40mail.gmail.com.
Tomasz Kontusz
Feb 10, 2015, 3:23:49 AM2/10/15
to ansible...@googlegroups.com
It's not "printing the content", it's logging loop items. You'll want to move the sensitive data into dictionaries and use with_dict, or iterate over list indexes with with_sequence.
It would be nice if Ansible somehow marked sensitive data, but it's not doing it now.
It would be nice if Ansible somehow marked sensitive data, but it's not doing it now.
James Cammarata <jcamm...@ansible.com> napisał:
--
Wysłane za pomocą K-9 Mail.
James Morgan
Feb 10, 2015, 4:06:24 AM2/10/15
to ansible...@googlegroups.com
Hi,
J
Sorry I don't think my example was good enough.
It was logging when using include_vars. I will create an example playbook and raise a defect on github
TASK: [user-builder | include_vars vault/keys.yml] ****************************
ok: [localhost] => {"ansible_facts": {"vault_builder_id_rsa": "-----BEGIN RSA PRIVATE KEY-----
.......\7f0iXxEglf8a3wGD3qEVCNLNDxzVJ6grnFsDa0IfBey\n3VG7Sawu3vkpf0jnd21knv90YspfEx3zjGHpM2inT4AfVM8vjMAxgF9w3jZIj2w2\n2D47yPaF2xv8PvasNCEHcs7vCKd2AqtU5ySqb9ajJzvZE7jwqQE=\n-----END RSA PRIVATE KEY-----\n"}}
TASK: [user-builder | include_vars vault/cvs.yml] *****************************
ok: [localhost] => {"ansible_facts": {"vault_builder_cvspass": "/1 .......n"}}
TASK: [user-builder | include_vars vault/subversion.yml] **********************
ok: [localhost] => {"ansible_facts": {"vault_builder_subversion_cert_data": "K 10\nascii_cert\nV 948\nMIICwzCCAiwCCQC7AE/MsC2l8jANBgkqhkiG9w0BAQUFADCDVQQHEwZEdWJsaW4xFzAVBgNVBAoTDlBhZGR5IFBvd2VyIElUMQwwCgYDVQQLEwNTQ00xKDAmBgNVBAMTH2R1YmRjqT6r0Dta59bA9kiVqzI\nK 8\nfailures\nV 2\n12\nK 15\nsvn:realmstring\nV 27\nhttps://217.112.150.122:443\nEND\n", "vault_builder_subversion_serverrecord": "29c985a08edc7fae1dde0fe590b47938"}}
James Morgan
Feb 10, 2015, 4:57:57 AM2/10/15
to ansible...@googlegroups.com
I have raised https://github.com/ansible/ansible/issues/10194
I'll raise issues on github next time before I post to the forum. I wasn't aware of the etiquette, apologies
James
Toshio Kuratomi
Feb 10, 2015, 5:28:11 PM2/10/15
to ansible...@googlegroups.com
It can be good to raise issues on the forum too. Sometimes the
forum/mailing list is helpful for figuring out if the issue is really
a bug or to get feedback on potential implementation of fixes.
-Toshio
forum/mailing list is helpful for figuring out if the issue is really
a bug or to get feedback on potential implementation of fixes.
-Toshio
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/2782270b-ff5b-43fd-999e-52a75cf1e3f0%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
James Morgan
Feb 12, 2015, 5:08:55 AM2/12/15
to ansible...@googlegroups.com
Thanks Toshio, will do in the future.
Reply all
Reply to author
Forward
0 new messages