Do not display sensitive data with stdout callback

[dangoncalves]

SUMMARY

Currently retrieving any data in Hashicorp Vault does not provide any protection in order to prevent secret data leaks.

Unfortunately we cannot do anything special while stdout callback cannot know what is sensitive data and what is not.

I just opened this issue on ansible side in order to provide a way to inform stdout callback that this is sensitive data. Then we could prevent any secret data leaks.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

parsing.yaml

ADDITIONAL INFORMATION

---
name: Custom data type
hosts: all
vars:
    my_var: "{{ lookup('hashi_vault','secret=secret/data/path/to/my namespace=my-namespace').secret }}"

  tasks:
    - name: Debug secret
      debug:
        var: my_var

Should display

PLAY [Debug Extra vars] ********************************************************
TASK [Gathering Facts] *********************************************************
ok: [127.0.0.1]
TASK [Debug organization_name] *************************************************
ok: [127.0.0.1] => {
    "my_var": "!community.hashi_vault.sensitive-data 'Anything that is defined in the collection\'s parser'"
}
PLAY RECAP *********************************************************************
127.0.0.1                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[briantist]

Hi @dangoncalves , welcome!

I've replied in the ansible-core issue: ansible/ansible#81201 (comment)

Basically, to do this now you should use no_log: true on tasks where you don't want to expose secret data.

Until/unless core adds some other type of support for this, there is nothing we can do at the plugin/module level to address it really.

Once there's something concrete in core, we'll definitely look to make use of it in this collection since we deal directly with secrets and sensitive data.

Will leave this open as a discussion for others to find and add to the conversation.

[dangoncalves]

Hello @briantist,

Of course, I know no_log: true, but on an AWX instance with multiple users, it's difficult to control this is used everywhere it's needed.
So having a mechanism that handle secret displaying for end-user would be very useful

[briantist]

I get where you're coming from but there's nothing a collection can really do, the change you want either belongs in the core engine or in AWX.