0

I have a simple Ansible playbook to

  1. Fetch a database connection config from an RestAPI,
  2. Extract the config object from the payload,
  3. Using the config JSON (as request body) to create a PUT request to another RestAPI.

At the 3rd stage I found that the database username and password combination is wrong. Later, while I print the outputs, I have found that the password has been replaced with a string named "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER".

After some googling, I found that this is a security feature by Ansible. Unfortunately, I haven't found any configuration or something like this to disable this feature. Is it possible to disable this feature? Or any other workaround?

---
    - name: my-playbook
      gather_facts: no
      hosts: all
      vars_files:
        - secret
      tasks:
        - name: Fetch the config payload from the API
          uri: 
            url: "{{get_config}}"
            method: GET
            user: "{{username}}"
            password: "{{password}}"
            validate_certs: no
            return_content: yes
            status_code: 200
            body_format: json
          register: config
        - name: Extract the config object
          set_fact:  
            config_raw: "{{ config.json | json_query(jmesquery) }}"
          vars:
            jmesquery: '{{name}}.config'
        - name: print the config
          debug: 
            msg: "{{config_raw}}"
        - name: Creating object using config
          uri: 
            url: "{{create_ocject}}"
            method: PUT
            user: "{{username}}"
            password: "{{password}}"
            validate_certs: no
            body: "{{config_raw}}"
            body_format: json
            return_content: yes
            status_code: 200
            headers:
              Content-Type: "application/json"
          register: test_res
        - name: output value
          debug: 
            msg: "{{test_res.json}}"
Mehdi
  • 109
  • 1
  • 2
  • Its a good practice to not log credentials. Why do you not look in the source `vars_files` instead of trying to find a way to have it logged? – anx Jan 04 '21 at 17:06
  • Well, the configurations has some other values and those will evolve over time. So, the entire config should be fetched from the API first. – Mehdi Jan 04 '21 at 17:28
  • I'm not really sure, what is your problem? If the uri call says, the user/pass is wrong, can you check that manual? Or use debug to output the vars. Try without a var, if that works, the var content is wrong not the way you retrieved it. Did you really passed the correct fields in a form the server can reach the vars (body-format)... maybe for HTTP Basic you need url_username, url_password... – TRW Jan 11 '21 at 11:42

1 Answers1

1

You can set no_log: False in ansible.cfg.

As

However, the no_log attribute does not affect debugging output, so be careful not to debug playbooks in a production environment. Ansible doc

the secrets should be displayed in the verbose output. Just add -vvv to the ansible-playbook command.

Henrik Pingel
  • 9,380
  • 2
  • 28
  • 39