TerryHowe
commented
2 years ago This was a limitation of ansible in the past. There was no way to redact these and ansible stance was don't log it if you don't want to see it.
Open itadmin-nyiax opened 2 years ago
TerryHowe
commented
2 years ago This was a limitation of ansible in the past. There was no way to redact these and ansible stance was don't log it if you don't want to see it.
kuzemchik
commented
2 years ago @TerryHowe does it mean it was fixed since then or something that can be fixed?
TerryHowe
commented
2 years ago I'm not entirely sure if something can be done about it now. Would the lookup plugin work better for you?
kuzemchik
commented
2 years ago @TerryHowe I have lookups with dynamic keys, so I need it in a step. Not sure what is happening in vars, but it is not my use case anyway. I use lookups within set_facts with:
- set_fact:
some_secret: "{{ lookup('hashi_vault', 'secret=secret:field') }}"
no_log: true
diff: noBut that basically means that if anyone forgot to add no_log statements, secrets need to be rotated.
Running ansible with verbose flags exposes secrets read from vault which results them to be preserved in logs of systems like Jenkins and Rundeck. Not sure if this is fixed in newer versions (currently on 4.6.3 due to ansible 2.9 in use) or if it is possible to address at all.
Example:
Will yield something like this in logs:
ok: [superserver -> localhost] => {"changed": false, "lease_duration": 0, "lease_id": "", "rc": 0, "renewable": false, "value": "Should Be Secret"}