How can I use github secrets in Ansible play without them being visible in clear text?
Currently, I invoke ansible play using the “oracle linux automation manager” API from github actions.
While calling ansible job using API we pass github secret as Extravars to ansible play like here: --extra-vars "DBpass=${{ secrets.myteamtoken }}" .
However, this secret is visible in clear text in Ansible logs when I invoke a Mongo database command like the below:
docker exec -ti {{ container_name }} mongoimport --port {{ DBport }} --authenticationDatabase '$external' --authenticationMechanism PLAIN -u '{{ DBuser }}' -p '{{ DBpass }}' --jsonArray --type=json --file audit/scripts/json/{{ item | basename }} --legacy
Note: github runner and ansible agents are on different hosts.
Can you please suggest how I can make sure that the DBpass from github is not visible when used in Ansible-play?
Saving this and many such credentials in Oracle Linux Automation Manager / Ansible Vault would be an overhead that I wish to avoid. Changing passwords in github as well as Ansible would be a trivial/redundant effort.
Not sure if it will help, but to address the passwords issue in logs
Add
no_log: trueto tasks where the passwords are in use. (for example tasks withDBpassin your case.) See example and explanation in official FAQ.Also consider
diff: noto those tasks.