We use a credential of type VMware vcenter (10. Credentials — Ansible AWX community documentation) in an AWX job template. The credential information (host, username, password) is transferred to the playbook as ENV variables.
However, the started automation-job pod writes these ENV variables to stdout at startup. And since stdout comes from pods to Graylog, sensitive information is leaked.
Is there a way to suppress the writing of ENV vars in AWX, EE or ansible-runner?
@kokosnuss hi, generally if you need to pass some credentials to your playbooks, you could use ansible vault.
I’m not a AWX user, but i can see that there’s the credential feature you could try to use and IIRC there’s an option for vault. Maybe there are other cred types you could use.
There is a “no_log” option that can be added to tasks which stops the task output from showing on the AWX console. Not sure if that will suppress the output at startup though.
If that doesn’t work, you could do a custom credential and recreate the VMWare credential type but pass in the username/password as extra_vars rather than ENV. Then add the username and password options when the VMWare modules are called. This is a bit hacky but I’ve had to do something similar when I needed to change something from the default credential types.
Hi everyone,
Thank you for your answers.
The no_log option does not work here because it only applies to the playbook and not to the startup component.
I already had the solution of copying the credential, but I think it’s too hacky, because it doesn’t scale and I can’t forbid my internal users to use the default vmware credential.
i dug deep and found out that the ansible-runner is the causing component and more or less wrote a fix for it:
