An Ansible automation controller job template uses a custom credential type that requires a secret token. The token is stored as an extra variable in the job template definition. A security audit reveals the token is visible in plaintext in the job output. Which action should the administrator take to secure the secret?
Trap 1: Vault-encrypt the variable in the playbook and reference it with {{…
Vault encryption protects the value at rest but does not hide it from job output when passed as an extra variable.
Trap 2: Create a custom credential type that injects the token as an…
This is a good practice but does not address the existing extra variable; the token would still be visible if the extra variable remains.
Trap 3: Store the token in a file on the controller with 600 permissions…
This does not prevent the token from being displayed in job output if it is used as a variable without no_log.
- A
Define the variable in the job template's 'extra variables' field with 'no_log: true' set in the playbook for that variable.
Setting no_log on the variable prevents it from being displayed in logs and job output, meeting the security requirement.
- B
Vault-encrypt the variable in the playbook and reference it with {{ vault_var }}.
Why wrong: Vault encryption protects the value at rest but does not hide it from job output when passed as an extra variable.
- C
Create a custom credential type that injects the token as an environment variable, and remove the extra variable from the job template.
Why wrong: This is a good practice but does not address the existing extra variable; the token would still be visible if the extra variable remains.
- D
Store the token in a file on the controller with 600 permissions and use 'lookup' in the playbook.
Why wrong: This does not prevent the token from being displayed in job output if it is used as a variable without no_log.