Do not log passwords

ID

no_log_password

Severity

low

Vendor

Ansible

Resource

General Security

Tags

reachable

Description

Using secrets in a loop can result in those secrets being logged. To avoid this you must add no_log: true to the task.

Learn more about this topic at Ansible no log password.

Examples

- hosts: all
  tasks:
    - name: Fail when no_log is set to no
      user:
        name: john_doe
        password: "{{ item }}"
        state: absent
      no_log: no
      loop:
        - wow
        - now

Mitigation / Fix

- hosts: all
  tasks:
    - name: Fail when no_log is set to no
      user:
        name: john_doe
        password: "{{ item }}"
        state: absent
      no_log: yes
      loop:
        - wow
        - now
- hosts: all
  tasks:
    - name: Fail when no_log is set to no
      user:
        name: john_doe
        password: "{{ item }}"
        state: absent
      no_log: True
      loop:
        - wow
        - now