Prevent sensitive data from leaking to syslog when using e.g. the command module

Let’s say I have the following task:

• name: mongodb | Setup mongodb admin user
  tags: mongodb
  command: /usr/bin/mongo -u admin --eval “db.getSiblingDB(‘admin’).addUser(‘admin’, ‘{{pass_admin}}’)” admin
  changed_when: false
  ignore_errors: yes

All is fine with this, except one thing - my precious top-secret password gets written in /var/log/syslog by ansible-command, where it becomes visible to non-privileged users.

Is there any way to selectively prevent a task from logging this? I found the no_log parameter which specific modules can use to prevent some arguments from being logged, but it doesn’t seem usable by an end user.

Thanks!

P.S. The reason I’m not using the mongodb_user module is that it doesn’t work on Mongo 2.2. or lower, and I’m stuck with 2.0 for the moment. The syntax for addUser() is different in 2.4, and mongodb_user only supports that.

So we have a mongo user module (see online module docs)

Using this, Ansible is smart enough to not log parameters named ‘password’ or ‘login_password’.

There is also a “no_log=yes” parameter you can use generically speaking on any module.

I read the rest of your post, how about fixing the mongodb module so it can detect the version and act appropriately?

There is also a “no_log=yes” parameter you can use generically speaking on any module.

How do I use that as an end user (not as a module author)? Passing “no_log=yes” at the “command:” line assumes that it is part of the command I want to execute. Putting “no_log: yes” as a separate line results in the following:

ERROR: no_log is not a legal parameter in an Ansible task or handler

Right, it’s an internalism.