0

I am running a playbook where I am passing in a password from an external hashicorp vault. The problem is that when I run the playbook, the password is displayed in plain text in the output provided by ansible.

I want the logs to be visible so I do not prefer no_logs as a solution

Example

changed: [Server IP] => {
    "changed": true,
    "cmd": "config.cmd --windowsLogonPassword **Password is passed here but displayed in plain text** ,
    "delta": "0:00:06.218698",
    "end": "2021-07-16 05:32:07.845560"...

Is there a way to encrypt the password directly in the playbook so plain text is not displayed on this output?

Rajesh Patel
  • 53
  • 1
  • 9
  • Does this answer your question? [How to disable json output from specific ansible commands?](https://stackoverflow.com/questions/32475881/how-to-disable-json-output-from-specific-ansible-commands) – toydarian Jul 16 '21 at 18:30
  • You need to add `no_log: true` to your task as explained in the link above. – toydarian Jul 16 '21 at 18:31
  • @toydarian I guess this works but it is not my preferred solution. I would rather have the logs visible because there is important information incase of a failure. It indicates where our internal process has failed. Is there a way to maintain the visibility of the logs while hiding the password? – Rajesh Patel Jul 16 '21 at 18:35
  • If you are writing your own module, you can set it per parameter, but in a playbook, you can only set it on task-level. See [this post](https://stackoverflow.com/questions/65947327/ansible-no-log-for-specific-values-in-debug-output-not-entire-module) for example. – toydarian Jul 16 '21 at 18:39

1 Answers1

0

Put

no_log: true

on either the task or the whole playbook. This inhibits information that can be useful for debug when you are writing the playbook, but should be on production playbooks where needed IMO.

Dicky G
  • 41
  • 3