Hi,
Sometimes playbooks need sensitive information like username/password and you may want to hide it from your log. So you can use the no_log feature and in most cases, it works. However, using it with with_items does not.
The following simple example demonstrates it.
Ansible version 1.8.1:
*test.yml*
yeah it’s important for debug that we show the loop counter of the item, so we don’t hide that with no_log. I think most times people would want to see what task is exec’ing in the loop - there could be hundreds.
Now, here’s the trick I was alluding to on Twitter:
in group_vars/foo or wherever, assume a vault-encrypted file:
user_details:
timmy:
username: timmy
password: foo
jimmy:
username: jimmy
password: bar
And in your playbook:
And this way it will print the name on each loop indicator, but not the details that you don’t want to show
There are a couple of other ways to do this, the main trick is just don’t loop over the sensitive items. I believe we have a keys() filter to use or there’s one in stock Jinja that makes this easier as well.
Looks like this has been fixed in v2.0, I can use with_item with no_log: True