Hiding varibles in with_items

Archives Ansible Project
1

We want to with_items over a set of variables with private data in them,
like AWS keys. This causes us to get output like

  TASK: [ourtask | template .s3cfg] ************************************
  changed: [host1] => (item={'access_key': 'my-access-id', 'secret_key': 'my-secret-key', 'name': 'me'})
  changed: [host1] => (item={'access_key': 'your-access-id', 'secret_key': 'your-secret-key', 'name': 'you'})
  changed: [host2] => (item={'access_key': 'my-access-id', 'secret_key': 'my-secret-key', 'name': 'me'})
  changed: [host2] => (item={'access_key': 'your-access-id', 'secret_key': 'your-secret-key', 'name': 'you'})

...except the values (my-secret-key, your-secret-key, etc) are actually
printed there. Is there a way to tell Ansible that these variables are
secret and not to print them? (We're not using Vault, but our own way to
isolate private vars; but http://docs.ansible.com/playbooks_vault.html
didn't seem to imply that this would be different if we were. Although
that could be a cool way to do it, if Ansible keeps track of what
variables were set by files that came from Vault.)

                                      -Josh (jbs@care.com)

This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.

2

I would recommend setting ‘no_log: True’ on your task. Then the contents of the items will be suppressed. We do this with ‘secrets’ and with tasks that loop over data sets that have overly large strings or values.

There is some additional information at:

http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook

3

I would recommend setting 'no_log: True' on your task. Then the contents
of the items will be suppressed. We do this with 'secrets' and with tasks
that loop over data sets that have overly large strings or values.

There is some additional information at:

http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook

Ah, cool. If that's only in 1.8, we'll pick it up when that comes out. Thanks!

                                      -Josh (jbs@care.com)

This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.

4

Before 1.8, it will prevent syslogging, but not display in the app’s stdout.