yeah it's important for debug that we show the loop counter of the item, so
we don't hide that with no_log. I think most times people would want to
see what task is exec'ing in the loop - there could be hundreds.
Now, here's the trick I was alluding to on Twitter:
in group_vars/foo or wherever, assume a vault-encrypted file:
user_details:
timmy:
username: timmy
password: foo
jimmy:
username: jimmy
password: bar
And in your playbook:
- shell: some task ... {{ user_details[item][password] }} ...
with_items: user_names
no_log: True
And this way it will print the name on each loop indicator, but not the
details that you don't want to show
There are a couple of other ways to do this, the main trick is just don't
loop over the sensitive items. I believe we have a keys() filter to use
or there's one in stock Jinja that makes this easier as well.
On Thu, Dec 4, 2014 at 3:54 PM, Frederic Lemay <[email protected]>
wrote:
> Hi,
>
> Sometimes playbooks need sensitive information like username/password and you
> may want to hide it from your log. So you can use the no_log feature and in
> most cases, it works. However, using it with with_items does not.
>
> The following simple example demonstrates it.
>
> Ansible version 1.8.1:
>
> *test.yml*
> ---
> - hosts: 127.0.0.1
> vars_files:
> - vars.yml
> tasks:
> - shell: "echo {{ username }} {{ password }}"
> register: result
> with_items: auth
> no_log: True
>
> - fail: msg="something bad"
> when: result is defined and item.rc != 0
> with_items: result.results
> no_log: True
>
> *vars.yml*
> ---
> auth:
>
> - { username: user1, password: pass1 }
> - { username: user2, password: pass2 }
> - { username: user3, password: pass3 }
>
> Command: ansible-playbook -v test.yml
>
> Result is shown below!
>
> Any thoughts?
>
> If you use -vv, *no_log* will not hide anything (I know it is intent to be
> used with -v only). I personally think it would be nice to have the option to
> display {{ password }} instead of the real password. I could still benefit
> from having more information in the log and at the same time not worrying
> about displaying sensitive information. It is more useful to see something
> like "echo {{ username }} {{ password }}" in the log rather than "censored":
> "results hidden due to no_log parameter".
>
>
>
> ====
>
> root@553a7fa15e9f:/opt/workspace# ansible-playbook -v test.yml
>
> PLAY [127.0.0.1]
> **************************************************************
>
> GATHERING FACTS
> ***************************************************************
> ok: [127.0.0.1]
>
> TASK: [shell echo {{ username }} {{ password }}]
> ******************************
> changed: [127.0.0.1] => {"censored": "results hidden due to no_log
> parameter", "changed": true, "rc": 0}
> changed: [127.0.0.1] => {"censored": "results hidden due to no_log
> parameter", "changed": true, "rc": 0}
> changed: [127.0.0.1] => {"censored": "results hidden due to no_log
> parameter", "changed": true, "rc": 0}
>
> TASK: [fail msg="something bad"]
> **********************************************
> skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end':
> u'2014-11-26 03:18:53.800823', u'stderr': u'', u'stdout': u'user4 pass4',
> u'changed': True, u'rc': 0, 'item': {'username': 'user1', 'password':
> 'pass1'}, u'warnings': [], u'delta': u'0:00:00.065612', 'invocation':
> {'module_name': u'shell', 'module_args': u'echo user4 pass4'}, u'start':
> u'2014-11-26 03:18:53.735211'})
> skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end':
> u'2014-11-26 03:18:53.917499', u'stderr': u'', u'stdout': u'user4 pass4',
> u'changed': True, u'rc': 0, 'item': {'username': 'user2', 'password':
> 'pass2'}, u'warnings': [], u'delta': u'0:00:00.062923', 'invocation':
> {'module_name': u'shell', 'module_args': u'echo user4 pass4'}, u'start':
> u'2014-11-26 03:18:53.854576'})
> skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end':
> u'2014-11-26 03:18:54.030859', u'stderr': u'', u'stdout': u'user4 pass4',
> u'changed': True, u'rc': 0, 'item': {'username': 'user3', 'password':
> 'pass3'}, u'warnings': [], u'delta': u'0:00:00.062825', 'invocation':
> {'module_name': u'shell', 'module_args': u'echo user4 pass4'}, u'start':
> u'2014-11-26 03:18:53.968034'})
>
> PLAY RECAP
> ********************************************************************
> 127.0.0.1 : ok=3 changed=1 unreachable=0 failed=0
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/c781f8c0-c843-4ce4-a685-0dd9ac9e9746%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/c781f8c0-c843-4ce4-a685-0dd9ac9e9746%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzEptgnwEB3jt88p51Kq4jJkNCy_Em1Ny8te6GbpBUQKw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
