Ansible Vault Passwords Exposed in Plain Text During Execution

Question

I am actually using Ansible to create user, with passwords stored in an Ansible Vault.

However, I've encountered an issue where the passwords, despite being in the Ansible Vault, are displayed in plain text in the console output during playbook execution.

The relevant section of my playbook looks like this:

- name: Create users
  become: true
  user:
    name: "{{ item.name }}"
    groups: "{{ item.groups }}"
    password: "{{ item.password | password_hash('sha512', 'salt') }}"
    update_password: on_create
    state: present
    append: yes
    shell: "{{ item.shell }}"
  with_items: "{{ users }}"

When I run the playbook, it exposes passwords in plain text like this:

ok: [homeserver] => (item={'name': 'user1', 'groups': ['sambashare'], 'password': 'password', 'shell': '/sbin/nologin'})
ok: [homeserver] => (item={'name': 'user2', 'groups': ['sambashare'], 'password': 'azerty123', 'shell': '/sbin/nologin'})

I've tried the no_log: True option, but it completely suppresses logging for the task, which isn't what I want. I've also tried nested variable references like "{{ '{{vaulted_password}}' | password_hash('sha512') }}", but they don't seem to work.

I want to keep logging enabled for debugging purposes, but I need to prevent the plain text passwords from appearing in the output. Ideally, I would like the output to show hashed versions of the passwords instead of the plain text.

Is there a way to keep my logs clean of sensitive data while still keeping the logging for other non-sensitive information?

I would appreciate any help or suggestions.

EDIT : It seems to be a limitation of ansible's user module that prevents me from managing my user list. I haven't found a real solution, but Zeitounator's answer may be a workaround.

Answer 1

... I'd prefer a solution where the password is just printed hashed with or without verbosity ...

The already here given answer, which I recommend to accept is providing the base for that. One need just to adopt it. One approach could be in example

---
- hosts: localhost
  become: false
  gather_facts: false

  vars:

    users:
      - name: Alice
        password: alice
      - name: Bob
        password: bob

  tasks:

  - name: Show password
    debug:
      msg: "{{ item.password | password_hash('sha512', 12345 | random(seed=item.name) | string )  }}"
    loop_control:
      label: "Hashed Password: {{ item.password | password_hash('sha512', 12345 | random(seed=item.name) | string ) }}"
    loop: "{{ users }}"

resulting into an output of

TASK [Show password] ***********************************************************************************************************************
ok: [localhost] => (item=Hashed Password: $6$9509$KxHmwtdpZr7T3VVFbMY3aKNqzTH1wueUj2t90mDPa3jKmbBhD.VLN130tHZITbPjJzzbPjlvTZ7KDRWPd4X3c.) =>
  msg: $6$9509$KxHmwtdpZr7T3VVFbMY3aKNqzTH1wueUj2t90mDPa3jKmbBhD.VLN130tHZITbPjJzzbPjlvTZ7KDRWPd4X3c.
ok: [localhost] => (item=Hashed Password: $6$5478$dN.k/AGg.30g/aNdGhmQXeMuAdLvXVwBpI5gfohobVr7PdxMDkxeeXUk8GtQgl4PJHNGa33RQYVbHEvOn.ya61) =>
  msg: $6$5478$dN.k/AGg.30g/aNdGhmQXeMuAdLvXVwBpI5gfohobVr7PdxMDkxeeXUk8GtQgl4PJHNGa33RQYVbHEvOn.ya61

Credits To

• Generate reusable non-random but strong password with Ansible from a seed

Answer 2

The issue here is the output of the loop item. As a quick fix:

- name: Create users
  become: true
  ansible.builtin.user:
    name: "{{ item.name }}"
    groups: "{{ item.groups }}"
    password: "{{ item.password | password_hash('sha512', 'salt') }}"
    update_password: on_create
    state: present
    append: yes
    shell: "{{ item.shell }}"
  with_items: "{{ users }}"
  loop_control:
    label: "{{ item | combine({password: 'redacted'}) }}"

You can set label to whatever best suit your need. See limiting loop output with label

Please note that the above is not bullet proof and that the original password might still be available while running your playbook in verbose mode (depending on the module... I believe that user makes a rather good job on this one but you have to check...) and/or if you register the result of the looped task and output the result (where the orginal item will be available for each result element).