CODEWITHSUNDEEP
ansibleansible-inventoryansible-factsansible-vault
V Mahaja
V Mahaja

Reputation: 365

Ansible vault shows decrypted values if playbooks executed with debug mode

I am using ansible vault to encrypt the password, but when I am using debug mode it shows the password as plain text. Consider below code

Generate ansible-vault encrypted password

ansible-vault encrypt_string 'abc123' --name ansible_ssh_pass > inventory/group_vars/all.yml

test.yml

- name: Vault test
  hosts: group_1
  tasks:
    - name: Read Json
      set_fact:
         version_file: "{{ lookup('template','template/test.j2') | to_json }}"
      run_once: true

inventory/hosts

[group_1]
xxx.xxx.com ansible_host=xx.xx.xx.xx ansible_user=root
xxx.xxx.com ansible_host=xx.xx.xx.xx ansible_user=root

template/test.j2

{ "host" : "xxx.xxx.com",
  "username" : "root",
  "password" : "{{ hostvars[groups['group_1'][0]]['ansible_ssh_pass'] }}"  }

Playbook execution

ansible-playbook -i inventory/hosts test.yml --ask-vault-pass -vvv

Output

TASK [Read Json] ******************************************************************************************************************************************
task path: /test/test.yml:5
ok: [xxx.xxx.com] => {
    "ansible_facts": {
        "version_file": "\"{ \\\"host\\\" : \\\"xxx.xxx.com\\\",\\n  \\\"username\\\" : \\\"root\\\",\\n  \\\"password\\\" : \\\"abc123\\n\\\"  }\\n\""
    },
    "changed": false,
    "failed": false
}

Is there any way to avoid this?

Upvotes: 1

Views: 2222

Answers (3)

Andrew Stiver
Andrew Stiver

Reputation: 1

This seems to be either a bug, an oversight, or a questionable design choice by the ansible maintainers. I re-opened another issue here https://github.com/ansible/ansible/issues/82172 to prompt more discussion about this choice with the maintainers.

Also, no_log does not prevent verbose output from appearing, which will contain vault-encrypted variable values in plaintext. Even if that did work, anyone who has access to the repository could just set no_log to false and have access to all vault-encrypted variables, completely circumventing any security provided by encrypting variables with ansible-vault.

Upvotes: 0

Joe Cove
Joe Cove

Reputation: 7

To protect the data you can use no_log: true

Upvotes: 0

Alvaro Niño
Alvaro Niño

Reputation: 567

AFIK ansible vault encript passwords, although it can be visible if you use verbose options... For this you have to add to your playbook the option:

no_log: true

Take a look at this link as they say:

I don't believe Ansible keeps track of what came from the vault. To protect the data you can use no_log: true

Upvotes: 3

Related Questions