Open gtowsey opened 6 years ago
I would like a solution to this exact issue!
Same for rest API requests. And API Keys. I would propose to have a "logfilter", where you could just globaly specify a list of things that should be stripped from the logs.
logfilter:
- {{ api_key }}
- {{ password001 }}
- {{ username }}
And than ansible should do:
Proposal: Hide Credentials from Log
Author: Glen Towsey
Date: 2018/01/11
Motivation
When using winshell to execute a command such as a powershell script any credentials that are passed down using lookup eg '{{ lookup('env', 'abc_username') }}' . Passwords and usernames are shown in plain text in the log files.
Using no_log:True does hide this information but also hides any log information from ansible. This makes ansible tower difficult to use in a secure environment
Problems
What problems exist that this proposal will solve?
Solution proposal
Allow the use of a tag similar to the !unsafe tag to censor a variable from the log. the end result would be a variable declared similar to the below:
win_shell: D:\Scripts\something.ps1 !hidden'{{ lookup('env', 'Script_User') }}' !hidden'{{ lookup('env', 'Script_Password') }}'