Excluding AWX/Tower Temporary Credential Extra Vars Files from ARA Recording

Get Help
,
1

In AWX/Tower, credentials provided to a job template are injected as temporary extra vars files, with paths like:

/tmp/bwrap_<id>_<random>/awx_<id>_<random>/tmp<random>

These files are recorded by ARA:

image
image622×325 8.82 KB

I tested configurations of the ARA client to try to exclude them, using the ignored_files parameter, among others, without success. Is there a known working pattern or an option I overlook to exclude only these temporary credential extra vars files from being recorded by ARA, while still retaining other non-sensitive extra vars?

(I must say: I know :upside_down_face: it’s still an AWX/Tower 3.8.5 here, but unfortunately that’s how it is… I hope it won’t be for much longer!)

Thank you for your help!

2

Hi,

The files included in a pattern provided to ARA_IGNORED_FILES will still be created but they should be empty a bit like this from the integration tests:

Screenshot From 2026-02-20 20-39-27
Screenshot From 2026-02-20 20-39-271061×515 53.7 KB

That result came from export ARA_IGNORED_FILES=".ansible/tmp,ignored_task_file.yaml".

In the example you provided /tmp/bwrap should work.

3

Thanks @rfc2549 for your answer.

I tested this.

ignored_files = .ansible/tmp,/tmp/bwrap

image
image620×210 6.02 KB

This excludes all files of the job, including env/extravars and playbooks (project/generate_freeze.yml in the example here).

image
image977×132 10 KB

The fact that credentials are provided as temporary extra vars files by AWX/Tower, with dynamical id and random strings in name and path, and in the same path as all other files of the job, means that we cannot find a fixed string to use in ignored_files to only exclude credentials.

image

/tmp/bwrap_<id>_<random>/awx_<id>_<random>/tmp<random>

I think that in this case, it should be possible to use a regex in ignored_files, for example:

/tmp/bwrap_.*/awx_.*/tmp.*

Or is there something else possible?

If not, do you think it would be useful to open an issue and look at this implementation? (I’m willing to try to come up with something, if it makes sense.)

Have a good day!

4

Ah, that’s a bit troublesome indeed, I understand better now, thanks.

The filtering implementation lives in the ara callback and it’s simple pattern matching: https://codeberg.org/ansible-community/ara/src/commit/717df99d364907cce7eda92c4741c48a7cea6a91/ara/plugins/callback/ara_default.py#L727-L734

It could be improved to be a list of regex patterns instead, I guess.
Feel free to create an issue, no problem with a PR that lets the use case work for you.

1 Like
5

I opened an issue to track this enhancement request: codeberg.org/ansible-community/ara#649

It proposes regex support for ignored_files to better target dynamic AWX/Tower temporary credential files without over-filtering other files.