0

When I run an ansible playbook

ansible-playbook --ask-vault-pass -i vdc-inventory complete_provision.yaml -vvv

the password I set is sent to all module_args:

changed: [localhost] => {
    "changed": true,
    "invocation": {
        "module_args": {
            ...
            "org": "system",
            "password": "xxx",
            ...
        }
    },
    "msg": "ABC has been created"
}

That is bad. It is not even redacted.

Update 1

When running the playbook environment variables are set with:

- hosts: localhost
  connection: local
  environment:
    env_user: "{{ VCD_USER_NAME }}"
    env_password: "{{ VCD_USER_PASSWORD }}"
    env_host: "{{ VCD_URL }}"

and they are in fact module arguments...

tread
  • 10,133
  • 17
  • 95
  • 170
  • It is sent to modules because modules may need variables in the vault file. Still, I don't see it in the debug output. Which module are you using? – Jack Mar 09 '20 at 12:18
  • I am using an external module [ansible-module-vcloud-director](https://github.com/vmware/ansible-module-vcloud-director)...and that password field is not showing up on regular built-in ansible modules – tread Mar 09 '20 at 12:21
  • You might want to open an issue with VMware, I think. – Vladimir Botka Mar 09 '20 at 12:42
  • Oops, I updated the question. Is there a way to hide that password in the output? – tread Mar 09 '20 at 13:03

1 Answers1

1

If you just want to ensure that the password doesn't show in your output, and the module is not already built to obscure it, you can use this as a module argument

no_log: True

This will suppress the output for that specific task. Not great if you need to be able to see the output, but if the standard module doesn't support suppressing it, it might be your only option.

ebrewer
  • 474
  • 5
  • 11