hashivault_read exposes secrets in logs

[itadmin-nyiax]

Running ansible with verbose flags exposes secrets read from vault which results them to be preserved in logs of systems like Jenkins and Rundeck.
Not sure if this is fixed in newer versions (currently on 4.6.3 due to ansible 2.9 in use) or if it is possible to address at all.

Example:

- hashivault_read:
    mount_point: "secret_engine"
    secret: "secret_name"
    key: "secret_key"
    version: 2
  delegate_to: localhost

Will yield something like this in logs:
ok: [superserver -> localhost] => {"changed": false, "lease_duration": 0, "lease_id": "", "rc": 0, "renewable": false, "value": "Should Be Secret"}

[TerryHowe]

This was a limitation of ansible in the past. There was no way to redact these and ansible stance was don't log it if you don't want to see it.

[kuzemchik]

@TerryHowe does it mean it was fixed since then or something that can be fixed?

[TerryHowe]

I'm not entirely sure if something can be done about it now. Would the lookup plugin work better for you?

[kuzemchik]

@TerryHowe I have lookups with dynamic keys, so I need it in a step. Not sure what is happening in vars, but it is not my use case anyway.
I use lookups within set_facts with:

- set_fact:
    some_secret:  "{{ lookup('hashi_vault', 'secret=secret:field') }}"
  no_log: true
  diff: no

But that basically means that if anyone forgot to add no_log statements, secrets need to be rotated.