Hi,
I have some sensitive data (keys and pass files etc) stored in yaml var files and encrypted with the vault.
Just noticed that if I have -v set it prints out the contents when I import the var files.
I would have expected the facts to know that the file its loading was from the vault and the contents should not be logged
TASK: [user-builder | Add builder public key to authorized_keys for deployment of code to jump servers] ***
changed: [localhost] => (item=ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3ed3cnj1HNPS60Hazeilt3yA8Doljw+zlhlDsvd30k3pPkmudlD+ZNNEoo2hNluUVZnlQX+ej9qUpz/uTK8cx9o5MgcyWIpJRAhsm2DKjjQxGQxiNyi3cAAAAB3NzaC1yc2EAAAABIwAAAQEA3ed3cnj1HNkmudlD+ZNNEoo2hNluUVZnlQX+ej9qUpz/uTK8cx9o5MgcyWIpJRAhsm2DKjjQxGQxiNyi3ccAruWODdu8/9+VzWLEHsOH3GnSTsJ2+ULTvvhnjDAjeTwiPC05pwgZbdgg+nuvVV7q919v8n/1NNUVY9Kw3RUGHq36MoyvYwzb6hA5UoN/3MjqoXGn", “key_options”: null, “keyfile”: “…/builder/.ssh/authorized_keys”, “manage_dir”: true, “path”: null, “state”: “present”, “unique”: false, “user”: “builder”}
Thanks
James
Hi James,
Could you open a github issue for this so we can keep track of it? In the mean time, you can use the no_log: yes option on a per-task basis to ensure sensitive information is not logged.
Thanks!
Sure will do. Thanks James
It’s not “printing the content”, it’s logging loop items. You’ll want to move the sensitive data into dictionaries and use with_dict, or iterate over list indexes with with_sequence.
It would be nice if Ansible somehow marked sensitive data, but it’s not doing it now.
James Cammarata jcammarata@ansible.com napisał:
Hi,
Sorry I don’t think my example was good enough.
It was logging when using include_vars. I will create an example playbook and raise a defect on github
TASK: [user-builder | include_vars vault/keys.yml] ****************************
ok: [localhost] => {“ansible_facts”: {“vault_builder_id_rsa”: “-----BEGIN RSA PRIVATE KEY-----
…\7f0iXxEglf8a3wGD3qEVCNLNDxzVJ6grnFsDa0IfBey\n3VG7Sawu3vkpf0jnd21knv90YspfEx3zjGHpM2inT4AfVM8vjMAxgF9w3jZIj2w2\n2D47yPaF2xv8PvasNCEHcs7vCKd2AqtU5ySqb9ajJzvZE7jwqQE=\n-----END RSA PRIVATE KEY-----\n”}}
TASK: [user-builder | include_vars vault/cvs.yml] *****************************
ok: [localhost] => {“ansible_facts”: {“vault_builder_cvspass”: “/1 …n”}}
TASK: [user-builder | include_vars vault/subversion.yml] **********************
ok: [localhost] => {“ansible_facts”: {“vault_builder_subversion_cert_data”: “K 10\nascii_cert\nV 948\nMIICwzCCAiwCCQC7AE/MsC2l8jANBgkqhkiG9w0BAQUFADCDVQQHEwZEdWJsaW4xFzAVBgNVBAoTDlBhZGR5IFBvd2VyIElUMQwwCgYDVQQLEwNTQ00xKDAmBgNVBAMTH2R1YmRjqT6r0Dta59bA9kiVqzI\nK 8\nfailures\nV 2\n12\nK 15\nsvn:realmstring\nV 27\nhttps://217.112.150.122:443\nEND\n”, “vault_builder_subversion_serverrecord”: “29c985a08edc7fae1dde0fe590b47938”}}
J
I have raised https://github.com/ansible/ansible/issues/10194
I’ll raise issues on github next time before I post to the forum. I wasn’t aware of the etiquette, apologies
James
It can be good to raise issues on the forum too. Sometimes the
forum/mailing list is helpful for figuring out if the issue is really
a bug or to get feedback on potential implementation of fixes.
-Toshio
Thanks Toshio, will do in the future.