How can I use github secrets in Ansible play without them being visible in clear text?
Currently, I invoke ansible play using the “oracle linux automation manager” API from github actions.
While calling ansible job using API we pass github secret as Extravars to ansible play like here: --extra-vars "DBpass=${{ secrets.myteamtoken }}"
.
However, this secret is visible in clear text in Ansible logs when I invoke a Mongo database command like the below:
docker exec -ti {{ container_name }} mongoimport --port {{ DBport }} --authenticationDatabase '$external' --authenticationMechanism PLAIN -u '{{ DBuser }}' -p '{{ DBpass }}' --jsonArray --type=json --file audit/scripts/json/{{ item | basename }} --legacy
Note: github runner and ansible agents are on different hosts.
Can you please suggest how I can make sure that the DBpass from github is not visible when used in Ansible-play?
Saving this and many such credentials in Oracle Linux Automation Manager / Ansible Vault would be an overhead that I wish to avoid. Changing passwords in github as well as Ansible would be a trivial/redundant effort.
Not sure if it will help, but to address the passwords issue in logs
However, this secret is visible in clear text in Ansible logs […]
Add no_log: true
to tasks where the passwords are in use. (for example tasks with DBpass
in your case.) See example and explanation in official FAQ.
Also consider diff: no
to those tasks.