ansible/awx

Sensitive Information Leaked in AWX by automation job pod

Open

#16,141 opened on 2025年10月20日

GitHub で見る
 (6 comments) (0 reactions) (0 assignees)Python (13,071 stars) (3,333 forks)batch import
communityhelp wantedtype:enhancement

説明

Please confirm the following

  • I agree to follow this project's code of conduct.
  • I have checked the current issues for duplicates.
  • I understand that AWX is open source software provided for free and that I might not receive a timely response.

Feature type

New Feature

Feature Summary

We are deploying AWX using the AWX-operator in Kubernetes. New AWX jobs spin up automation-job pods. Those pods have logs to stdout during execution that aren’t rendered in the UI, but are seen at runtime on the pod stdout. In a K8s platform environment, it’s common to send all stdout pod logs for all pods in the cluster to a central log aggregator.

The initial "starting" stdout log includes the ENV passed to the job. Some modules in Ansible require sensitive information like passwords to be passed via ENV, so logging the ENV to stdout leaks this information, which is then sent off to the central log aggregator.

Because the kubernetes logging solutions just captures all pod stdout logs and ships them off, we end up with sensitive information in the logs that are stored with all the other pods. There doesn’t appear to be any way to prevent the automation job from logging the env at runtime. Is there a way to prevent this? If not, could we request a way to reduce logging or turn off this log?

Example startup log to stdout:

{
    "status": "starting", 
    "runner_ident": "288886", 
    "command": ["ansible-playbook", "-u", "root", "-e", "@/runner/env/tmp5lo54lwn", "-i", "/runner/inventory/hosts", "-e", "@/runner/env/extravars", "main.yml"], 
    "env": {"KUBERNETES_SERVICE_PORT_HTTPS": "443", "SUPER_SECRET_PASSWORD": "FluffyAndAdorableKittens", "KUBERNETES_SERVICE_PORT": "443", "AWX_PROD_SERVICE_PORT_80_TCP": "tcp://10.43.165.29:80", 
...

Select the relevant components

  • UI
  • API
  • Docs
  • Collection
  • CLI
  • Other

Steps to reproduce

Run any job with a sensitive credential passed through the ENV

Current results

sensitive credential is logged to pod stdout, which kubernetes will capture along with all stdout logs for all pods in the cluster.

Sugested feature result

Ability to turn off logging sensitive information at job start, so that it's not printed to stdout

Additional information

No response

コントリビューターガイド

技術スタック
pythonkubernetesdockerrest api
領域
securitybackenddevops
Issue 種別
feature
難度新しい貢献者にとっての実装難度です。1 は非常に小さな変更、5 は専門的な作業です。
3
推定時間経験ある貢献者が調査、実装、テスト、pull request 準備にかけるおおよその時間範囲です。
1-2 days
活動状況Issue が今どれだけ取り組みやすいかを示します。新しい、活発、古い、ブロック中、またはメンテナー入力待ちなどです。
fresh
明確さ期待される変更、受け入れ条件、次の手順がどれだけ明確かを示します。
clear
前提条件
Python knowledgeAWX basicsKubernetes logging concepts
初心者向け度初回貢献者にどれだけ取り組みやすいかを 1-100 で推定したスコアです。
40
調査方針
Investigate the AWX automation job pod startup logging code, likely in the AWX runner component (e.g., 'awx/runner' or 'ansible runner'). Examine how the environment variables are logged during 'starting' status. Review any existing configuration options for log verbosity. The issue requests a toggle to suppress sensitive env logs; consider implementing a flag or filtering mechanism. Check the comments for any maintainer guidance.