textansiblegithub-actionsmaskinggithub-secret

Use github secret in Ansible play without making it clear text


How can I use github secrets in Ansible play without them being visible in clear text?

Currently, I invoke ansible play using the “oracle linux automation manager” API from github actions.

While calling ansible job using API we pass github secret as Extravars to ansible play like here: --extra-vars "DBpass=${{ secrets.myteamtoken }}" .

However, this secret is visible in clear text in Ansible logs when I invoke a Mongo database command like the below:

docker exec -ti {{ container_name }} mongoimport --port {{ DBport }} --authenticationDatabase '$external' --authenticationMechanism PLAIN -u '{{ DBuser }}' -p '{{ DBpass }}' --jsonArray --type=json --file audit/scripts/json/{{ item | basename }} --legacy

Note: github runner and ansible agents are on different hosts.

Can you please suggest how I can make sure that the DBpass from github is not visible when used in Ansible-play?

Saving this and many such credentials in Oracle Linux Automation Manager / Ansible Vault would be an overhead that I wish to avoid. Changing passwords in github as well as Ansible would be a trivial/redundant effort.


Solution

  • Not sure if it will help, but to address the passwords issue in logs

    However, this secret is visible in clear text in Ansible logs […]

    Add no_log: true to tasks where the passwords are in use. (for example tasks with DBpass in your case.) See example and explanation in official FAQ.
    Also consider diff: no to those tasks.