Currently retrieving any data in Hashicorp Vault does not provide any protection in order to prevent secret data leaks.
Unfortunately we cannot do anything special while stdout callback cannot know what is sensitive data and what is not.
I just opened this issue on ansible side in order to provide a way to inform stdout callback that this is sensitive data. Then we could prevent any secret data leaks.
ISSUE TYPE
Feature Idea
COMPONENT NAME
parsing.yaml
ADDITIONAL INFORMATION
---
name: Custom data type
hosts: all
vars:
my_var: "{{ lookup('hashi_vault','secret=secret/data/path/to/my namespace=my-namespace').secret }}"
tasks:
- name: Debug secret
debug:
var: my_var
Should display
PLAY [Debug Extra vars] ********************************************************
TASK [Gathering Facts] *********************************************************
ok: [127.0.0.1]
TASK [Debug organization_name] *************************************************
ok: [127.0.0.1] => {
"my_var": "!community.hashi_vault.sensitive-data 'Anything that is defined in the collection\'s parser'"
}
PLAY RECAP *********************************************************************
127.0.0.1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
SUMMARY
Currently retrieving any data in Hashicorp Vault does not provide any protection in order to prevent secret data leaks.
Unfortunately we cannot do anything special while stdout callback cannot know what is sensitive data and what is not.
I just opened this issue on ansible side in order to provide a way to inform stdout callback that this is sensitive data. Then we could prevent any secret data leaks.
ISSUE TYPE
COMPONENT NAME
parsing.yaml
ADDITIONAL INFORMATION
Should display