AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,100 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example" published by Apress, and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible no_log: Hide Sensitive Output in Playbook Logs (Guide)

By Luca Berton · Published 2024-01-01 · Category: installation

How to hide passwords and secrets in Ansible output with no_log. Prevent sensitive data from appearing in logs, debug output, callbacks. Practical YAML playbook examples.

The no_log: true directive prevents Ansible from displaying task output in logs and terminal. Use it to hide passwords, API tokens, database credentials, and any sensitive data that would otherwise appear in plain text.

Basic Usage

Without no_log:

With no_log: true:

Where to Use no_log

API Tokens and Keys

Database Credentials

Environment Variables with Secrets

SSH Keys and Certificates

no_log with Loops

Conditional no_log

Play-Level no_log

Best Practices

1. Use Vault for Secrets

2. Use loop_control with no_log

3. Separate Sensitive and Non-Sensitive Tasks

4. Avoid no_log on debug Tasks

Troubleshooting with no_log

When a no_log: true task fails, the error message is also hidden:

To debug:

ansible-lint Warning

ansible-lint flags tasks with passwords that lack no_log:

Fix by adding no_log: true to any task that handles passwords.

FAQ

What does no_log do in Ansible?

no_log: true prevents Ansible from displaying task input and output in the terminal and log files. The task still runs normally, but its results are shown as "censored" instead of the actual data.

When should I use no_log?

Use it on any task that handles sensitive data: passwords, API tokens, SSH keys, database credentials, certificates, or any secrets. Also use it when templates or copy content contain embedded secrets.

Does no_log hide errors too?

Yes — when a no_log: true task fails, the error message is also hidden. Use ANSIBLE_NO_LOG=false or a conditional no_log: "{{ not debug_mode }}" to temporarily disable it for troubleshooting.

Can I disable no_log globally for debugging?

Yes — set the environment variable ANSIBLE_NO_LOG=false before running the playbook. This overrides all no_log: true directives. Only use this in secure environments.

Does no_log affect Ansible Tower/AWX logs?

Yes — no_log: true hides output in Tower/AWX job output as well. The data never reaches the Tower database, making it safe for audit-sensitive environments.

Conclusionno_log: true — Hide sensitive task output • Use on: passwords, tokens, keys, credentials, secret templates • loop_control: label — Show useful context while hiding secrets • Conditional: no_log: "{{ not debug_mode }}" for troubleshooting • ANSIBLE_NO_LOG=false — Emergency override for debugging • Always combine with Ansible Vault for complete secret management

Related ArticlesAnsible Vault: Encrypt SecretsAnsible debug Module: Print VariablesAnsible Playbook Structure & Best Practices

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home