Marking workflow vars as secret

[u2ill]

Okay, so I understand how workflow parameters are defined the the workflow.meta.yaml file, and how the "secret: true" option can be set for masking parameters with sensitive data from showing in plain text in workflow result output, logs, and other various forms of output. Now in the actual workflow yaml file, there is the "input" section, which accepts the parameters defined in the meta file.
But then there is the "vars" section, were you can declare internal workflow variables that are not input parameters. Later on in the workflow, we will often assign various sensitive data like passwords into a variable that was declared in the "vars" section. But I don't see how to mark those variables as "secret". Shouldn't we be able to do that? Am I missing something?

[apielasa]

@u2ill - did you find any workaround for this?

[fdrab]

are variables shown anywhere?

[apielasa]

Yes, they are.
Environment variables are displayed in plain text in the GUI. In a history of workflow tasks.
Everyone that has an access to the st2 CLI can get variable values as well.
eg.:

get last 5 actin id
st2 execution list -n 5

get details of a particular action id with all variables included:
st2 execution get execution_id

If you're a pack maintainer, you can implement setting os variable inside the pack and pass a value as an input parameter instead of var.
Then you can set this input parameter as sensitive (setting secret: true attribute) in a yaml file.

If you're not a pack maintainer, things are getting more complicated...