HI there,
I have a task in my playbook that uses the expect module to feed sensitive data into an interactive command on the remote host.
The module does its job, but my request for “no_log: True” is not respected. When changed, the task emits output like this:
{u’changed’: True, u’end’: u’2015-07-15 08:40:57.814994’, u’stdout’: u’‘, u’cmd’: u’/opt/vault/bin/vault unseal -address=http://127.0.0.1:8200’, u’start’: u’2015-07-15 08:40:57.699369’, u’delta’: u’0:00:00.115625’, ‘item’: u’{{ unseal_key_3 }}‘, u’rc’: 0, ‘invocation’: {‘module_name’: u’expect’, ‘module_args’: {u’command’: u’/opt/vault/bin/vault unseal -address=http://127.0.0.1:8200’, u’responses’: {u’: ‘: u’856…503’}, u’timeout’: 5, ‘_ansible_no_log’: True}}, ‘stdout_lines’: [u’']}
Note that module_args has exposed the sensitive data (represented here as ‘856…503’).
I tried marking the responses dict as no_log in the AnsibleModule definition in lib/ansible/modules/extras/commands/expect.py, but this didn’t change the behaviour.
Where is the code that produces this output, so that I can dig into why it exposes my sensitive information and figure out how best to deal with that?
Thanks,
Sheldon.