Skip to content

Passwords not masked in playbook output #362

New issue
New issue
Open
Open
Passwords not masked in playbook output#362
@minatoyama

Description

@minatoyama
minatoyama
opened on Mar 4, 2025

In my ansible configuration we either use Ansible Vault or a gpg plugin to encrypt passwords. However these passwords are fully printed in clear text in some of the configuration steps, even if they are skipped. Some examples:

  • icinga.icinga.icinga2 : enable features
  • icinga.icinga.icingaweb2 : Check each icingaweb2_modules key against known modules
  • icinga.icinga.icingaweb2 : Configure modules
  • icinga.icinga.icingaweb2 : Manage enabled module daemons

Example of output in skipped task:

 TASK [icinga.icinga.icingaweb2 : Manage enabled module daemons] **********************************************************************************************************************************
skipping: [icingaweb2] => (item={'key': 'icingadb', 'value': {'enabled': True, 'source': 'package', 'commandtransports': {'icingadb-web': {'transport': 'api', 'host': 'icingaweb2', 'username': 'api-user', 'password': 'api password in clear text'}}, 'config': {'icingadb': {'resource': 'icingadb-database'}, 'redis': {'tls': 0}}, 'redis': {'redis1': {'host': 'master1', 'password': 'redis password in clear text'}, 'redis2': {'host': 'master2', 'password': 'redis password in clear text'}}}})

Activity

mkayontour

mkayontour commented on Jun 20, 2025

@mkayontour
mkayontour
on Jun 20, 2025
Member

Hi, thanks for the issue. This can be solved using loop control.

   - shell: echo 'doesnt matter'
     with_dict: "{{ useless }}"
     loop_control:
       label: "{{ item.key }}"
Donien

Donien commented on Jun 20, 2025

@Donien
Donien
on Jun 20, 2025
Member

Hi, thanks for the issue. This can be solved using loop control.

   - shell: echo 'doesnt matter'
     with_dict: "{{ useless }}"
     loop_control:
       label: "{{ item.key }}"

As soon as you run with verbosity, the full variable is shown again.

I believe only no_log: true is secure here.

Donien

Donien commented on Jun 23, 2025

@Donien
Donien
on Jun 23, 2025
Member

Hi @minatoyama

I have added labels to a few loops to restrict what is being printed on screen.
This however does not fully solve the issue.

If you run Ansible with any level of verbosity, you can still see the full loop item that is being processed.

Sadly, I don't see any real fix for this as of now.
Verbosity is nice for troubleshooting / development / simply knowing what is going on.

We have so many places where secrets could be, e.g. database connections, user credentials, or even simply in a Icinga2 host object (snmp credentials come to mind).

Using no_log: true on all of these makes troubleshooting way harder than what it's worth.

If you still need every possible secret to be hidden, I suggest using no_log: true on the play or role level.

- name: Play
  # Either here
  no_log: true
  hosts: all
  
  roles:
    - role: icinga2
      # or here
      no_log: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @mkayontour@Donien@minatoyama

        Issue actions
          Passwords not masked in playbook output · Issue #362 · NETWAYS/ansible-collection-icinga