You can use a custom callback plugin to mask the password. An example can
be found
at
https://serverfault.com/questions/754860/how-can-i-reduce-the-verbosity-of-certain-ansible-tasks-to-not-leak-passwords-in/897480#897480?newreg=03468dbbc6174dbc9d04455112ec29a7
On Saturday, March 24, 2018 at 1:14:02 AM UTC-7, Trond Hindenes wrote:
>
> As far as I can see, some modules implement a special
> "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER" for some attributes, which cause them
> to be hidden from output, which is great.
>
> However, I'd like to control this outside of modules. A use case is for
> example a playbook doing things:
>
> - name: Get AWS credentials
> set_fact:
> aws_creds: "{{ lookup('passwordstate', aws_iam_ansible_passwordstate_id)
> }}"
>
> - name: Grab username and password from creds
> set_fact:
> aws_access_key: "{{ aws_creds['username'] }}"
> aws_secret_key: "{{ aws_creds['password'] }}"
>
> I want to be able to flag parameters as "globally hidden", not just as
> module outputs. I know I can use no_log, but that would hide _all_ output
> from a step, which makes it hard to troubleshoot stuff (this is what we're
> doing today, and having to temporarily turn off the no_log flag when
> troubleshooting is a headache.
>
> Is there anyway to (for example) set ansible.cfg to always hide the value
> of variables called aws_access_key, regardless of playbook/play/task/role?
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/dd1a4738-8c8d-4baa-bc4d-2670da05bedb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
