Prevent Module Arguments from Logging

I’ve started incorporating the capabilities of Vault to encrypt private data (e.g. passphrases), and I want to make sure this data is still secure once I use it in a play. Specifically, I’m looking to develop a module to interact with our encryption software, and I want to make sure the passphrases I pass in are not going to be logged in the output.

I’ve noticed when you run the user module with a -vvvv you get two log entries where the password is sanitized.

<127.0.0.1> REMOTE_MODULE user name=username state=present password=VALUE_HIDDEN

ok: [ansible1] => {“append”: false, “changed”: false, “comment”: “”, “home”: “/home/username”, “item”: “”, “move_home”: false, “name”: “username”, “password”: “NOT_LOGGING_PASSWORD”, “shell”: “/bin/bash”, “state”: “present”}

I’ve been able to trace out the NOT_LOGGING_PASSWORD in the user module file, but I’m not able to find any reference to VALUE_HIDDEN. It would really defeat the purpose of Vault to encrypt private data, but display it in the logs.

https://github.com/ansible/ansible/blob/devel/lib/ansible/utils/__init__.py#L671

-jlk

Thanks, Jesse. Just to make sure I fully understand, I need to create my private arguments with a key of password or login_password, or change the private_keys list to include the argument keys of my choosing. Is this correct?

I believe so, yes.

-jlk

Should “private_keys” be configurable in .ansible.cfg not fixed in init.py?

I can see a downside in that people in charge of security would have to maintain the list carefully.

But, we have a lot of different types of keys and it would be nice to name them more specifically than this.

Sometimes, it is considered a security breach just to know the activities that are used to secure processes.

What about adding something like

with_security: state=[silent, encrypted]

which could be appended to any task. silent would omit the task from the logs entirely while encrypted would encrypt all fields.

**[**kbroughton@mb-kbroughton:lynx-ansible/dev-ansible + (develop)] grep -RH private_keys $ansible

/Users/kbroughton/vcp/git/mentat/ansible/lib/ansible/utils/init.py: private_keys = [‘password’, ‘login_password’]

/Users/kbroughton/vcp/git/mentat/ansible/lib/ansible/utils/init.py: if k in private_keys:

There has been discussion around allowing the modules to configure these keys.

Also note that there is a no_log configuration that can prevent things from being logged.

I just added https://github.com/ansible/ansible/issues/6533 as an idea for how this could be solved.

So there’s already a convention around no_log=True in the argument_spec here.

I’d use it

no_log: True or field1,field2… at a task level works for my needs!

It also exists in the argument_spec of the module as well.

With the following sanitized code, using the no_log=True method, my private parameters are still being logged. What am I missing?

“my private parameters are still being logged.”

When you say “logged”, logged where?

Before some users had confusion calling the output of the task name a log, so I want to make sure.

Perhaps “logged” is not the correct term. I’m referring to the output seen with the -vvvv option.

What I get:
REMOTE_MODULE mymodule pub1=value1 pub2=value2 priv=privvalue

What I expect:
REMOTE_MODULE mymodule pub1=value1 pub2=value2

Please make sure there is a ticket filed on this request.

Thanks!