no logging for service account contents (#60149)

* no logging for service account contents * changelog * fixes
2019-08-06 13:27:11 -07:00 · 2019-08-06 13:27:11 -07:00 · 61d60d07d1
commit 61d60d07d1
parent 94f5e2d9ed
3 changed files with 6 additions and 5 deletions
--- a/changelogs/fragments/gcp_fixes.yml
+++ b/changelogs/fragments/gcp_fixes.yml
@ -0,0 +1,2 @@
+bugfixes:
+  - Add no_log to credentials field to avoid disclosures, also switch type to jsonarg to avoid having users responsible for transformations.
--- a/lib/ansible/module_utils/gcp_utils.py
+++ b/lib/ansible/module_utils/gcp_utils.py
@ -214,7 +214,8 @@ class GcpModule(AnsibleModule):
                service_account_contents=dict(
                    required=False,
                    fallback=(env_fallback, ['GCP_SERVICE_ACCOUNT_CONTENTS']),
-                    type='str'),
+                    no_log=True,
+                    type='jsonarg'),
                scopes=dict(
                    required=False,
                    fallback=(env_fallback, ['GCP_SCOPES']),
--- a/lib/ansible/plugins/doc_fragments/gcp.py
+++ b/lib/ansible/plugins/doc_fragments/gcp.py
@ -20,10 +20,8 @@ options:
        choices: [ application, machineaccount, serviceaccount ]
    service_account_contents:
        description:
-            - A string representing the contents of a Service Account JSON file.
-            - This should not be passed in as a dictionary, but a string
-              that has the exact contents of a service account json file (valid JSON)
-        type: str
+            - The contents of a Service Account JSON file, either in a dictionary or as a JSON string that represents it.
+        type: jsonarg
    service_account_file:
        description:
            - The path of a Service Account JSON file if serviceaccount is selected as type.