Passing credentials to an action plugin

Hello again,

So I currently work on my first action plugin and I have a noob question: what is the best practice for passing credentials to the ‘run’ class method?

Assume we have a playbook that calls the role containing the plugin:

- name: "Call a role"
  import_role:
    name: "example"

and inside the example role we have a task triggering the plugin:

- name: "Call plugin"
  plugin:
    username: "{{ username }}"
    password: "{{ password }}"

So the question is where and how can I define username and password without having these values exposed in the output?

All play variables are passed into task_vars, automatically, so you don’t need to specify these as plugin parameters.

Say you you have a variable dinner be it specified as extravars, inventory vars, etc. this is automatically passed into you action plugin:

#!/usr/bin/env python
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
from ansible.plugins.action import ActionBase

try:
    from __main__ import display
except ImportError:
    from ansible.utils.display import Display
    display = Display()

class ActionModule(ActionBase):

    BYPASS_HOST_LOOP = False       # if True, runs once per play

    def run(self, tmp=None, task_vars=None):
        '''Run action plugin'''

        meal = task_vars['dinner']
        display.vv(meal)

        result = {
            'changed': False,
            'failed': False,
            'msg': 'okbla',
        }

        return result
- hosts: alice
  tasks:
    - aplug:
$ ansible-playbook jp.yml -e dinner=Doener -vv
...
TASK [aplug] ************************************************************************
task path: /.../ansible-tests/action_plugins/vars/jp.yml:10
Doener
ok: [alice] => {"changed": false, "msg": "okbla"}

@jpmens thank you for the answer!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.