ansible-modules-hashivault icon indicating copy to clipboard operation
ansible-modules-hashivault copied to clipboard

Published 20 hours ago verified publisher icon TerryHowe

hashivault_read exposes secrets in logs

Open itadmin-nyiax opened this issue 3 years ago • 4 comments

Running ansible with verbose flags exposes secrets read from vault which results them to be preserved in logs of systems like Jenkins and Rundeck. Not sure if this is fixed in newer versions (currently on 4.6.3 due to ansible 2.9 in use) or if it is possible to address at all.

Example:

- hashivault_read:
    mount_point: "secret_engine"
    secret: "secret_name"
    key: "secret_key"
    version: 2
  delegate_to: localhost

Will yield something like this in logs: ok: [superserver -> localhost] => {"changed": false, "lease_duration": 0, "lease_id": "", "rc": 0, "renewable": false, "value": "Should Be Secret"}

itadmin-nyiax avatar Aug 10 '22 17:08 itadmin-nyiax

This was a limitation of ansible in the past. There was no way to redact these and ansible stance was don't log it if you don't want to see it.

TerryHowe avatar Aug 10 '22 19:08 TerryHowe

@TerryHowe does it mean it was fixed since then or something that can be fixed?

kuzemchik avatar Aug 10 '22 19:08 kuzemchik

I'm not entirely sure if something can be done about it now. Would the lookup plugin work better for you?

TerryHowe avatar Aug 10 '22 21:08 TerryHowe

@TerryHowe I have lookups with dynamic keys, so I need it in a step. Not sure what is happening in vars, but it is not my use case anyway. I use lookups within set_facts with:

- set_fact:
    some_secret:  "{{ lookup('hashi_vault', 'secret=secret:field') }}"
  no_log: true
  diff: no

But that basically means that if anyone forgot to add no_log statements, secrets need to be rotated.

kuzemchik avatar Aug 10 '22 22:08 kuzemchik