Stage 4 · Provision
Secrets & Security
no_log & Safe Output
Preventing secret leakage into logs and diffs.
Secret Leakage Risks
Ansible logs task output, including command arguments, module parameters, and file contents. Without protection, secrets can appear in AWX job output, CI logs, terminal output, and syslog entries.
The no_log Parameter
# Hide a task's entire output
- name: Set database password
ansible.builtin.user:
name: dbuser
password: "{{ db_password | password_hash('sha512') }}"
no_log: true
# Hide command arguments
- name: Create API token
ansible.builtin.command: >
curl -X POST -d '{"api_key": "{{ api_key }}"}'
https://api.example.com/token
no_log: true
# no_log does not affect register
- name: Get secret
ansible.builtin.command: cat /etc/secret
no_log: true
register: secret_result
# secret_result.stdout is still available but not loggedno_log: true prevents the task output from appearing in logs. The task still executes — only the output is suppressed.
no_log hides errors too. If a task with no_log fails, you will not see why. Use it selectively on tasks that handle secrets, not on every task.
Controlling Diff Output
# Disable diff for a task (hides file content in output)
- name: Deploy secret config
ansible.builtin.template:
src: secret.conf.j2
dest: /etc/app/secret.conf
diff: no
# Disable diff globally in ansible.cfg
# [defaults]
# diff = no
# Enable diff mode for a task
- name: Show what would change
ansible.builtin.template:
src: config.j2
dest: /etc/app/config.conf
check_mode: yes
diff: yesdiff: no prevents Ansible from showing file content differences. This is critical when templates contain secrets.
Output Filtering
- name: Run a command with secrets
ansible.builtin.shell: echo "token={{ api_key }}"
register: result
no_log: true
- name: Show output without secrets
ansible.builtin.debug:
msg: "Command completed successfully"
# Do not reference result.stdout — it contains the secretEven with no_log, registered variables contain the secret in memory. Be careful not to expose them in other tasks.
Safe Output Practices
- Use no_log on tasks that handle passwords, keys, and tokens
- Disable diff on templates containing secrets
- Never echo or debug registered variables with secret content
- Use vault-encrypted variables instead of plaintext secrets
- Review AWX job output for sensitive data before sharing
Periodically search your CI logs, AWX output, and syslog for patterns that look like secrets. Catch leaks before they become security incidents.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.