Hi; Please consider suppressing credentials output in: Manage Docker registry login credentials about ansible-docker HOT 8 CLOSED

Hi. Just general hiding, but ya, it is nice to see what is occurring without resorting to extra flags at runtime, etc.

Thank you for the support.

from ansible-docker.

Hi,

Were you thinking of doing this with no_log: true on that task?

from ansible-docker.

Hi.

Yup.

Thank you.

from ansible-docker.

I just pushed af3e986 to the master branch which addresses this issue.

I ended up not using no_log: true. Instead it uses the loop_control.label feature which lets us customize what gets output. I chose to output the registry_url, username and the state which I think is enough information to see if Ansible logged you into the correct registry based on your inventory configuration.

Here's an example of what the output looks like now:

ok: [test] => (item={'registry_url': 'https://index.docker.io/v1/', 'username': 'exampleuser', 'state': 'present'})

Thanks a lot for opening this issue as it improved the security of the role!

from ansible-docker.

Hi. Please be aware that one can still see the PW using this method with verbose output.

from ansible-docker.

I believe the same can be said with no_log: true too.

from ansible-docker.

no_log suppresses all output (even with verbose).

'"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result",'

from ansible-docker.

no_log suppresses all output (even with verbose).

Yep but you can set ANSIBLE_DEBUG=1 and then no_log: true won't hide the output. It's the same idea that if a user can run ansible with -v then they can run ansible with ANSIBLE_DEBUG=1 to bypass no_log.

Did you mainly want to hide the output during CI logs? If so I much prefer the label approach because you get the extra detail of what registry is being logged into. This is also nice for standard usage on your Ansible controller no matter where it runs.

from ansible-docker.