Thanks, I'll do that! On Saturday, March 24, 2018 at 10:17:07 PM UTC+1, Tony Chia wrote: > > You can use a custom callback plugin to mask the password. An example can > be found at > https://serverfault.com/questions/754860/how-can-i-reduce-the-verbosity-of-certain-ansible-tasks-to-not-leak-passwords-in/897480#897480?newreg=03468dbbc6174dbc9d04455112ec29a7 > > > > On Saturday, March 24, 2018 at 1:14:02 AM UTC-7, Trond Hindenes wrote: >> >> As far as I can see, some modules implement a special >> "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER" for some attributes, which cause them >> to be hidden from output, which is great. >> >> However, I'd like to control this outside of modules. A use case is for >> example a playbook doing things: >> >> - name: Get AWS credentials >> set_fact: >> aws_creds: "{{ lookup('passwordstate', aws_iam_ansible_passwordstate_id) >> }}" >> >> - name: Grab username and password from creds >> set_fact: >> aws_access_key: "{{ aws_creds['username'] }}" >> aws_secret_key: "{{ aws_creds['password'] }}" >> >> I want to be able to flag parameters as "globally hidden", not just as >> module outputs. I know I can use no_log, but that would hide _all_ output >> from a step, which makes it hard to troubleshoot stuff (this is what we're >> doing today, and having to temporarily turn off the no_log flag when >> troubleshooting is a headache. >> >> Is there anyway to (for example) set ansible.cfg to always hide the value >> of variables called aws_access_key, regardless of playbook/play/task/role? >> >> >> >>
-- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/aab75384-c96a-47b8-8116-9c47997de36b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
