AWX Custom creds used in template are displayed in plain text as part of Output

prateektl · August 7, 2024, 2:56pm

We have created a custom credentials and using it as part of the job template. But the issue is, the credentials passed as part of these custom creds is being displayed in plain text in the output of the job. What modification or changes needs to be done, so that credentials that are used as part of the custom creds are not displayed.

We are already using no_log: true in the task where the custom cred are used. But this is not a solution as it can be tweaked by different members and read the credentials. Also it will be hard to troubleshoot the issue when the task is enabled with no_log.

In other platform, as soon as the credential type is used, it will be hidden with asterisk (***), is there something similar in AWX?

Custom Credential Type:

Denney-tech · August 7, 2024, 4:23pm

It sounds like the problem is that you’re seeing your secret in stdout. Ansible has no way of knowing what part of stdout may or may not contain sensitive or secret information. That’s why no_log exists in the first place, to hide programmatically-indiscernible secret information.

There are modules that are intelligent enough to hide secrets in their output, but things like command shell and uri are not among them.

If you could show us samples of your playbooks/roles, how you’re using your awx_token, and explain a bit more of what you’re trying to do (in case it isn’t obvious in your samples); we may be able to help a little more.

On another note, you appear to be creating a custom credential for an AWX credential? Is there a reason you can’t use the existing Red Hat Ansible Automation Platform credential?

prateektl · August 9, 2024, 7:46am

Thanks for responding to this topic @Denney-tech , Let me give you an example on how we are using this custom credentials. Also as noted by you, we often use URI and Command Shell modules in our playbooks.

Denney-tech · August 9, 2024, 6:38pm

One solution could be to set the awx_token as an environment variable. If you add it as an environment variable in the custom credential, that will be exposed at Ansible’s control_node level, meaning you could set CONTROLLER_OAUTH_TOKEN and use your token with the awx.awx collection. However, you’ll need to set the environment variable at the play/task level the same way you would for regular vars to help hide it in shell tasks.

E.g. Setting environment var in task from custom credential’s extra_vars/env_vars.

# Injector configuration for your custom credential in awx
extra_vars:
  awx_token: '{{ awx_token }}'
env:
  AWX_TOKEN: '{{ awx_token }}'
  CONTROLLER_OAUTH_TOKEN: '{{ awx_token }}'

# Shell task in some play
- name: My custom shell with env var
  ansible.builtin.shell:
    cmd: |
      echo "${AWX_TOKEN}" > /dev/null # this is fine
      echo "{{ awx_token }}" > /dev/null # this is bad
      echo "${AWX_TOKEN}" # this is worse
      echo "{{ awx_token }}" # this is the worst
  environment:
    AWX_TOKEN: "{{ awx_token | default(lookup('env', 'AWX_TOKEN') | default('')) }}"

In the above task, redirecting the output to /dev/null prevents exposing the token to stdout. ${AWX_TOKEN} is the env variable, and is not exposed on the cli or in the cmd key of the module’s output. This makes the first echo safe since you will not see the token in the module’s output (i.e. {'results': {'cmd': 'echo "${AWX_TOKEN}"', 'stdout': ''}}). On the other hand, you will see the {{ awx_token }} in plaintext in the cmd key, and definitely see either var in the stdout if it is not redirected or otherwise used in a parameter.

With the ansible.builtin.uri, I’m not sure that there’s any way to hide the token, but you might be able to use {{ lookup('env', 'AWX_TOKEN') }} in the argument to set the header. I’m not sure if the module output would show the literal jinja string or the resulting lookup value.

Like so:

- ansible.builtin.uri:
    uri: "https://awx.domain.local/api/v2/inventories"
    return_content: true
    headers:
       Authorization: "Bearer {{ lookup('env', 'AWX_TOKEN') }}"

In this case, the only time I could see the token in testing is if verbosity was increased. It is not in the module output. Haven’t tested it in AWX, so I’m not sure what the module parameters might look like in the job details/output (with or without verbosity increased).