You can use a custom callback plugin to mask the password. An example can be found at https://serverfault.com/questions/754860/how-can-i-reduce-the-verbosity-of-certain-ansible-tasks-to-not-leak-passwords-in/897480#897480?newreg=03468dbbc6174dbc9d04455112ec29a7
On Saturday, March 24, 2018 at 1:14:02 AM UTC-7, Trond Hindenes wrote: > > As far as I can see, some modules implement a special > "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER" for some attributes, which cause them > to be hidden from output, which is great. > > However, I'd like to control this outside of modules. A use case is for > example a playbook doing things: > > - name: Get AWS credentials > set_fact: > aws_creds: "{{ lookup('passwordstate', aws_iam_ansible_passwordstate_id) > }}" > > - name: Grab username and password from creds > set_fact: > aws_access_key: "{{ aws_creds['username'] }}" > aws_secret_key: "{{ aws_creds['password'] }}" > > I want to be able to flag parameters as "globally hidden", not just as > module outputs. I know I can use no_log, but that would hide _all_ output > from a step, which makes it hard to troubleshoot stuff (this is what we're > doing today, and having to temporarily turn off the no_log flag when > troubleshooting is a headache. > > Is there anyway to (for example) set ansible.cfg to always hide the value > of variables called aws_access_key, regardless of playbook/play/task/role? > > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/dd1a4738-8c8d-4baa-bc4d-2670da05bedb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.