Hi,
Sorry I don't think my example was good enough.
It was logging when using include_vars. I will create an example playbook
and raise a defect on github
TASK: [user-builder | include_vars vault/keys.yml]
****************************
ok: [localhost] => {"ansible_facts": {"vault_builder_id_rsa": "-----BEGIN
RSA PRIVATE KEY-----
.......\7f0iXxEglf8a3wGD3qEVCNLNDxzVJ6grnFsDa0IfBey\n3VG7Sawu3vkpf0jnd21knv90YspfEx3zjGHpM2inT4AfVM8vjMAxgF9w3jZIj2w2\n2D47yPaF2xv8PvasNCEHcs7vCKd2AqtU5ySqb9ajJzvZE7jwqQE=\n-----END
RSA PRIVATE KEY-----\n"}}
TASK: [user-builder | include_vars vault/cvs.yml]
*****************************
ok: [localhost] => {"ansible_facts": {"vault_builder_cvspass": "/1
.......n"}}
TASK: [user-builder | include_vars vault/subversion.yml]
**********************
ok: [localhost] => {"ansible_facts": {"vault_builder_subversion_cert_data":
"K 10\nascii_cert\nV
948\nMIICwzCCAiwCCQC7AE/MsC2l8jANBgkqhkiG9w0BAQUFADCDVQQHEwZEdWJsaW4xFzAVBgNVBAoTDlBhZGR5IFBvd2VyIElUMQwwCgYDVQQLEwNTQ00xKDAmBgNVBAMTH2R1YmRjqT6r0Dta59bA9kiVqzI\nK
8\nfailures\nV 2\n12\nK 15\nsvn:realmstring\nV
27\nhttps://217.112.150.122:443\nEND\n";,
"vault_builder_subversion_serverrecord":
"29c985a08edc7fae1dde0fe590b47938"}}
J
On Tuesday, 10 February 2015 08:23:49 UTC, Tomasz Kontusz wrote:
>
> It's not "printing the content", it's logging loop items. You'll want to
> move the sensitive data into dictionaries and use with_dict, or iterate
> over list indexes with with_sequence.
>
> It would be nice if Ansible somehow marked sensitive data, but it's not
> doing it now.
>
> James Cammarata <[email protected] <javascript:>> napisał:
>>
>> Hi James,
>>
>> Could you open a github issue for this so we can keep track of it? In the
>> mean time, you can use the `no_log: yes` option on a per-task basis to
>> ensure sensitive information is not logged.
>>
>> Thanks!
>>
>> On Mon, Feb 9, 2015 at 12:20 PM, James Morgan <[email protected]
>> <javascript:>> wrote:
>>
>>> Hi,
>>>
>>> I have some sensitive data (keys and pass files etc) stored in yaml var
>>> files and encrypted with the vault.
>>>
>>> Just noticed that if I have -v set it prints out the contents when I
>>> import the var files.
>>>
>>> I would have expected the facts to know that the file its loading was
>>> from the vault and the contents should not be logged
>>>
>>>
>>> TASK: [user-builder | Add builder public key to authorized_keys for
>>> deployment of code to jump servers] ***
>>> changed: [localhost] => (item=ssh-rsa
>>> AAAAB3NzaC1yc2EAAAABIwAAAQEA3ed3cnj1HNPS60Hazeilt3yA8Doljw+zlhlDsvd30k3pPkmudlD+ZNNEoo2hNluUVZnlQX+ej9qUpz/uTK8cx9o5MgcyWIpJRAhsm2DKjjQxGQxiNyi3cAAAAB3NzaC1yc2EAAAABIwAAAQEA3ed3cnj1HNkmudlD+ZNNEoo2hNluUVZnlQX+ej9qUpz/uTK8cx9o5MgcyWIpJRAhsm2DKjjQxGQxiNyi3ccAruWODdu8/9+VzWLEHsOH3GnSTsJ2+ULTvvhnjDAjeTwiPC05pwgZbdgg+nuvVV7q919v8n/1NNUVY9Kw3RUGHq36MoyvYwzb6hA5UoN/3MjqoXGn",
>>>
>>> "key_options": null, "keyfile": "....../builder/.ssh/authorized_keys",
>>> "manage_dir": true, "path": null, "state": "present", "unique": false,
>>> "user": "builder"}
>>>
>>> Thanks
>>>
>>> James
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected] <javascript:>.
>>> To post to this group, send email to [email protected]
>>> <javascript:>.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/5c6648fb-6b06-46bc-b4ce-26853d938533%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/ansible-project/5c6648fb-6b06-46bc-b4ce-26853d938533%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
> --
> Wysłane za pomocą K-9 Mail.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/fcea138e-73ce-4878-9330-38a938ac63a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
