Sometimes I would like to use Ansible's lineinfile
or blockinfile
modules to write a password into some configuration file. If I do so, the whole line or block, password included, ends up in my syslog
.
As I don't consider syslog
to be a secure place to have my passwords stored in, how can I tell Ansible not to leak my password into syslog
? I hope there is a way to do this, otherwise I would consider this to be a big security problem in Ansible.
You can reproduce it for example with this ad-hoc command:
ansible localhost -m blockinfile -a 'dest=/tmp/ansible_password_leak create=yes block="Password = {{password}}"' -e 'password=secret'
Here is what ends up in syslog
:
ansible-blockinfile: Invoked with directory_mode=None force=None remote_src=None insertafter=None owner=None follow=False marker=# {mark} ANSIBLE MANAGED BLOCK group=None insertbefore=None create=True setype=None content=None serole=None state=present dest=/tmp/ansible_password_leak selevel=None regexp=None validate=None src=None seuser=None delimiter=None mode=None backup=False block=Password = secret
For the example I used Ansible 2.0.0.2 from the official Ansible Ubuntu PPA on a Debian "Jessie" 8 system.
The
no_log
attribute hides data in syslog. It can be applied to a single taskor the playbook:
Debugging is not really possible when activated so it is recommended to use it only for single tasks. This feature is available since version 1.5 of Ansible. As stated in the release announcement for the 1.5 release:
passwords should be filtered in most cases.
I developped a callback plugin to hide passwords for default outputs, it parse ouput dictionary for key that contains password, for each of them, it replace value by ********.
Create a file named
protect_data.py
in folder ./plugins/callback add add this code :In file ansible.cfg:
stdout_callback
and set this plugin name a value (stdout_callback=protect_data
)callback_plugins
and set value./plugins/callback
One might suggest that using Vault instead would obviate the problem.