As far as I can see, some modules implement a special “VALUE_SPECIFIED_IN_NO_LOG_PARAMETER” for some attributes, which cause them to be hidden from output, which is great.
However, I’d like to control this outside of modules. A use case is for example a playbook doing things:
-
name: Get AWS credentials
set_fact:
aws_creds: “{{ lookup(‘passwordstate’, aws_iam_ansible_passwordstate_id) }}” -
name: Grab username and password from creds
set_fact:
aws_access_key: “{{ aws_creds[‘username’] }}”
aws_secret_key: “{{ aws_creds[‘password’] }}”
I want to be able to flag parameters as “globally hidden”, not just as module outputs. I know I can use no_log, but that would hide all output from a step, which makes it hard to troubleshoot stuff (this is what we’re doing today, and having to temporarily turn off the no_log flag when troubleshooting is a headache.
Is there anyway to (for example) set ansible.cfg to always hide the value of variables called aws_access_key, regardless of playbook/play/task/role?