Looks like this has been fixed in v2.0, I can use *with_item* with *no_log:
True*
On Friday, 5 December 2014 11:35:54 UTC+11, Michael DeHaan wrote:
>
> yeah it's important for debug that we show the loop counter of the item,
> so we don't hide that with no_log. I think most times people would want to
> see what task is exec'ing in the loop - there could be hundreds.
>
> Now, here's the trick I was alluding to on Twitter:
>
> in group_vars/foo or wherever, assume a vault-encrypted file:
>
> user_details:
> timmy:
> username: timmy
> password: foo
> jimmy:
> username: jimmy
> password: bar
>
> And in your playbook:
>
> - shell: some task ... {{ user_details[item][password] }} ...
> with_items: user_names
> no_log: True
>
> And this way it will print the name on each loop indicator, but not the
> details that you don't want to show
>
> There are a couple of other ways to do this, the main trick is just don't
> loop over the sensitive items. I believe we have a keys() filter to use
> or there's one in stock Jinja that makes this easier as well.
>
>
>
>
>
> On Thu, Dec 4, 2014 at 3:54 PM, Frederic Lemay <[email protected]
> <javascript:>> wrote:
>
>> Hi,
>>
>> Sometimes playbooks need sensitive information like username/password and
>> you may want to hide it from your log. So you can use the no_log feature and
>> in most cases, it works. However, using it with with_items does not.
>>
>> The following simple example demonstrates it.
>>
>> Ansible version 1.8.1:
>>
>> *test.yml*
>> ---
>> - hosts: 127.0.0.1
>> vars_files:
>> - vars.yml
>> tasks:
>> - shell: "echo {{ username }} {{ password }}"
>> register: result
>> with_items: auth
>> no_log: True
>>
>> - fail: msg="something bad"
>> when: result is defined and item.rc != 0
>> with_items: result.results
>> no_log: True
>>
>> *vars.yml*
>> ---
>> auth:
>>
>> - { username: user1, password: pass1 }
>> - { username: user2, password: pass2 }
>> - { username: user3, password: pass3 }
>>
>> Command: ansible-playbook -v test.yml
>>
>> Result is shown below!
>>
>> Any thoughts?
>>
>> If you use -vv, *no_log* will not hide anything (I know it is intent to be
>> used with -v only). I personally think it would be nice to have the option
>> to display {{ password }} instead of the real password. I could still
>> benefit from having more information in the log and at the same time not
>> worrying about displaying sensitive information. It is more useful to see
>> something like "echo {{ username }} {{ password }}" in the log rather than
>> "censored": "results hidden due to no_log parameter".
>>
>>
>>
>> ====
>>
>> root@553a7fa15e9f:/opt/workspace# ansible-playbook -v test.yml
>>
>> PLAY [127.0.0.1]
>> **************************************************************
>>
>> GATHERING FACTS
>> ***************************************************************
>> ok: [127.0.0.1]
>>
>> TASK: [shell echo {{ username }} {{ password }}]
>> ******************************
>> changed: [127.0.0.1] => {"censored": "results hidden due to no_log
>> parameter", "changed": true, "rc": 0}
>> changed: [127.0.0.1] => {"censored": "results hidden due to no_log
>> parameter", "changed": true, "rc": 0}
>> changed: [127.0.0.1] => {"censored": "results hidden due to no_log
>> parameter", "changed": true, "rc": 0}
>>
>> TASK: [fail msg="something bad"]
>> **********************************************
>> skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end':
>> u'2014-11-26 03:18:53.800823', u'stderr': u'', u'stdout': u'user4 pass4',
>> u'changed': True, u'rc': 0, 'item': {'username': 'user1', 'password':
>> 'pass1'}, u'warnings': [], u'delta': u'0:00:00.065612', 'invocation':
>> {'module_name': u'shell', 'module_args': u'echo user4 pass4'}, u'start':
>> u'2014-11-26 03:18:53.735211'})
>> skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end':
>> u'2014-11-26 03:18:53.917499', u'stderr': u'', u'stdout': u'user4 pass4',
>> u'changed': True, u'rc': 0, 'item': {'username': 'user2', 'password':
>> 'pass2'}, u'warnings': [], u'delta': u'0:00:00.062923', 'invocation':
>> {'module_name': u'shell', 'module_args': u'echo user4 pass4'}, u'start':
>> u'2014-11-26 03:18:53.854576'})
>> skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end':
>> u'2014-11-26 03:18:54.030859', u'stderr': u'', u'stdout': u'user4 pass4',
>> u'changed': True, u'rc': 0, 'item': {'username': 'user3', 'password':
>> 'pass3'}, u'warnings': [], u'delta': u'0:00:00.062825', 'invocation':
>> {'module_name': u'shell', 'module_args': u'echo user4 pass4'}, u'start':
>> u'2014-11-26 03:18:53.968034'})
>>
>> PLAY RECAP
>> ********************************************************************
>> 127.0.0.1 : ok=3 changed=1 unreachable=0 failed=0
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To post to this group, send email to [email protected]
>> <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/c781f8c0-c843-4ce4-a685-0dd9ac9e9746%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ansible-project/c781f8c0-c843-4ce4-a685-0dd9ac9e9746%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/e61ab8c5-ca97-468e-bf76-b403a2f70949%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
