Hide secrets from output

As far as I can see, some modules implement a special “VALUE_SPECIFIED_IN_NO_LOG_PARAMETER” for some attributes, which cause them to be hidden from output, which is great.

However, I’d like to control this outside of modules. A use case is for example a playbook doing things:

  • name: Get AWS credentials
    set_fact:
    aws_creds: “{{ lookup(‘passwordstate’, aws_iam_ansible_passwordstate_id) }}”

  • name: Grab username and password from creds
    set_fact:
    aws_access_key: “{{ aws_creds[‘username’] }}”
    aws_secret_key: “{{ aws_creds[‘password’] }}”

I want to be able to flag parameters as “globally hidden”, not just as module outputs. I know I can use no_log, but that would hide all output from a step, which makes it hard to troubleshoot stuff (this is what we’re doing today, and having to temporarily turn off the no_log flag when troubleshooting is a headache.

Is there anyway to (for example) set ansible.cfg to always hide the value of variables called aws_access_key, regardless of playbook/play/task/role?

You can use a custom callback plugin to mask the password. An example can be found at https://serverfault.com/questions/754860/how-can-i-reduce-the-verbosity-of-certain-ansible-tasks-to-not-leak-passwords-in/897480#897480?newreg=03468dbbc6174dbc9d04455112ec29a7

Thanks,
I’ll do that!