ansible_failed_task logs private variables

Pinknes_Einhorn · June 13, 2023, 3:03pm

Hey all,

I’ve been working with error handling during vmware deployment and noticed that Ansible seems to store cleartext passwords in the ansible_failed_tasks variable provided by rescue sections in blocks even tho they’ve been set to private.
Not sure if this is a bug or intentional behavior( or user error), that’s why i wanted to ask if anybody else has experienced this behavior.

As example, here’s a shortened output of the variable:
“ansible_failed_task”: {

“args”: {
“provider”: {
“password”: “password123”,
}
}

For comparisen, the ansible_failed_result variable stores the variable as NO_LOG_PARAMETER as i’d expect
“ansible_failed_result”: {

“invocation”: {
“module_args”: {
“provider”: {
“password”: “VALUE_SPECIFIED_IN_NO_LOG_PARAMETER” }}}}

system · June 13, 2023, 3:50pm

There is no concept of 'private variables' in Ansible, we do have
'no_log' for module parameters (or at a task level, but this does not
seem to be this case). The `no_log` at the module level will handle
any returns or log data from the module, but does not affect any
variables that had been fed into it.

Topic		Replies	Views
Variables containing passwords - Filtering Ansible Project	2	1	July 17, 2014
Storing private ssh keys in variables Ansible Project	7	22	July 31, 2014
Ansible become-success command is logging variables Ansible Project	3	2	October 12, 2017
Why not environment variable to store vault secrets ? Ansible Developer	2	3	January 22, 2020
Secret variables / data: encryption Ansible Project	65	2	July 4, 2013

ansible_failed_task logs private variables

Related topics