Update document to use no_log and register when creating a new keypai…

…r. (#1716) (#1718) [PR #1716/39b19d83 backport][stable-6] Update document to use no_log and register when creating a new keypair This is a backport of PR #1716 as merged into main (39b19d8). SUMMARY "When creating a new keypair the ec2_key module prints out the private key directly to the standard output. This makes it unusable in any kind of public workflow." To fix this security vulnerability no_log and register should be used while using this module to create a keypair. ISSUE TYPE Docs Pull Request COMPONENT NAME ADDITIONAL INFORMATION Reviewed-by: Alina Buzachis
ansible-collections · Aug 31, 2023 · 7546cf6 · 7546cf6
1 parent 42b325b
commit 7546cf6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/changelogs/fragments/doc_update_for_keypair_nolog.yml b/changelogs/fragments/doc_update_for_keypair_nolog.yml
@@ -0,0 +1,3 @@
+---
+trivial:
+- Update the document to use no_log and register when creating a new keypair.
diff --git a/plugins/modules/ec2_key.py b/plugins/modules/ec2_key.py
@@ -49,6 +49,8 @@
     version_added: 3.1.0
 notes:
   - Support for I(tags) and I(purge_tags) was added in release 2.1.0.
+  - For security reasons, this module should be used with B(no_log=true) and (register) functionalities
+    when creating new key pair without providing key_material.
 extends_documentation_fragment:
   - amazon.aws.common.modules
   - amazon.aws.region.modules
@@ -64,8 +66,11 @@
 # Note: These examples do not set authentication details, see the AWS Guide for details.
 
 - name: create a new EC2 key pair, returns generated private key
+  # use no_log to avoid private key being displayed into output
   amazon.aws.ec2_key:
     name: my_keypair
+  no_log: true
+  register: aws_ec2_key_pair
 
 - name: create key pair using provided key_material
   amazon.aws.ec2_key: