0

I am running a job in Jenkins which runs an Ansible playbook. The Ansible playbook fetches some credentials which I don't want it to be printed in the console log of Jenkins. The credentials are being used in the same playbook for a curl command.

Is there a way to obfuscate just the password part by ****? If not, can the curl <...> be hidden and just print its output in the log?

My code is something like this

- name: curl
  shell: "curl -u '{{ user }}:{{ password }}'"
U880D
  • 8,601
  • 6
  • 24
  • 40
Anish Hebbar
  • 9
  • 2
    you should be able to set `no_log: true` to hide passwort output on console – meaningqo Aug 07 '23 at 08:18
  • 1
    From the doc: https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#keep-secret-data "Note that the use of the no_log attribute does not prevent data from being shown when debugging Ansible itself through the ANSIBLE_DEBUG environment variable." – Titou Aug 07 '23 at 12:35

1 Answers1

-1

The no_log: true option will not prevent output when running the playbook in verbose (-vvv) mode.

I guess a better method is to store this command in a shell-script, let's say do_curl.sh, use the template or copy module to upload it to the Remote Machine and run it with shell or command module.

E.g.

#!/bin/env bash
curl -u '{{ user }}:{{ password }}' "$@"

So you can use this for multiple requests:

shell: "do_curl.sh {{url}}"

If you don't want to leave the script (with the credentials) on the Target Machine you can use file with state: absent to remove the script immediately after running it. (Also limit it's file permissions in the copy/template task.)

If you don't want this script with the credentials on your Ansible Control Machine (and/or in the playbooks (git) repo), store it with the right permissions on the Target Machine. Or instantiate as a template with credentials from Ansible vault.

U880D
  • 8,601
  • 6
  • 24
  • 40
Peter Kuilboer
  • 249
  • 1
  • 5