feat: add option to mask potential secrents in env vars

src/ansible_runner/__main__.py

@@ -628,6 +628,12 @@ def main(sys_args=None):
         action="store_true",
         help="show the execution node's Ansible Runner version along with its memory and CPU capacities"
     )
+    worker_subparser.add_argument(
+        "--suppress-env-print",
+        dest="suppress_env_print",
+        action="store_true",
+        help="add flag to prevent the printing of env vars on stdout. Also set via SUPPRESS_ENV_PRINT"
+    )
     worker_subparser.add_argument(
         "--delete",
         dest="delete_directory",
@@ -866,6 +872,10 @@ def main(sys_args=None):
 
         with context:
             with role_manager(vargs) as vargs:
+                if vargs.get('suppress_env_print'):
+                    suppress_env_print = vargs.get('suppress_env_print')
+                else:
+                    suppress_env_print = os.getenv('SUPPRESS_ENV_PRINT', 'False') == 'True'
                 run_options = {
                     "private_data_dir": vargs.get('private_data_dir'),
                     "ident": vargs.get('ident'),
@@ -900,6 +910,7 @@ def main(sys_args=None):
                     "limit": vargs.get('limit'),
                     "streamer": streamer,
                     "suppress_env_files": vargs.get("suppress_env_files"),
+                    "suppress_env_print": suppress_env_print,
                     "keepalive_seconds": vargs.get("keepalive_seconds"),
                 }
                 try:

src/ansible_runner/config/_base.py

@@ -88,6 +88,7 @@ def __init__(self,
                  json_mode: bool = False,
                  check_job_event_data: bool = False,
                  suppress_env_files: bool = False,
+                 suppress_env_print: bool = False,
                  keepalive_seconds: int | None = None
                  ):
         # pylint: disable=W0613
@@ -118,6 +119,8 @@ def __init__(self,
         self.timeout = timeout
         self.check_job_event_data = check_job_event_data
         self.suppress_env_files = suppress_env_files
+        self.suppress_env_print = suppress_env_print
+
         # ignore this for now since it's worker-specific and would just trip up old runners
         # self.keepalive_seconds = keepalive_seconds
 

src/ansible_runner/interface.py

@@ -169,6 +169,7 @@ def run(**kwargs):
     :param str ssh_key: The ssh private key passed to ``ssh-agent`` as part of the ansible-playbook run.
     :param str cmdline: Command line options passed to Ansible read from ``env/cmdline`` in ``private_data_dir``
     :param bool suppress_env_files: Disable the writing of files into the ``env`` which may store sensitive information
+    :param bool suppress_env_print: Disable the printing of env vars on stdout which may contain sensitive information
     :param str limit: Matches ansible's ``--limit`` parameter to further constrain the inventory to be used
     :param int forks: Control Ansible parallel concurrency
     :param int verbosity: Control how verbose the output of ansible-playbook is

src/ansible_runner/streaming.py

@@ -225,7 +225,12 @@ def run(self):
     def status_handler(self, status_data, runner_config):
         # pylint: disable=W0613
         self.status = status_data['status']
-        self._output.write(json.dumps(status_data).encode('utf-8'))
+        printed_status_data = status_data.copy()
+        if 'suppress_env_print' in self.kwargs and self.kwargs['suppress_env_print']:
+            suppressed_env = {}
+            suppressed_env['SUPPRESS_ENV_PRINT'] = str(self.kwargs['suppress_env_print'])
+            printed_status_data['env'] = suppressed_env
+        self._output.write(json.dumps(printed_status_data).encode('utf-8'))
         self._output.write(b'\n')
         self._output.flush()
 

test/integration/test_transmit_worker_process.py

@@ -503,7 +503,7 @@ def test_unparsable_line_worker(tmp_path):
 def test_unparsable_really_big_line_processor(tmp_path):
     process_dir = tmp_path / 'for_process'
     process_dir.mkdir()
-    incoming_buffer = io.BytesIO(bytes(f'not-json-data with extra garbage:{"f"*10000}', encoding='utf-8'))
+    incoming_buffer = io.BytesIO(bytes(f'not-json-data with extra garbage:{"f" * 10000}', encoding='utf-8'))
 
     def status_receiver(status_data, runner_config):  # pylint: disable=W0613
         assert status_data['status'] == 'error'
@@ -517,3 +517,29 @@ def status_receiver(status_data, runner_config):  # pylint: disable=W0613
         private_data_dir=process_dir,
         status_handler=status_receiver
     )
+
+
+@pytest.mark.parametrize("suppress", [True, False])
+def test_suppress_env_print(tmp_path, suppress):
+    worker_dir = tmp_path / 'for_worker'
+    worker_dir.mkdir()
+    incoming_buffer = io.BytesIO(
+        b'{"kwargs": {"playbook": "debug.yml", "suppress_env_print": true}}\n{"eof": true}\n' if suppress
+        else b'{"kwargs": {"playbook": "debug.yml", "suppress_env_print": false}}\n{"eof": true}\n')
+    outgoing_buffer = io.BytesIO()
+
+    for buffer in (outgoing_buffer, incoming_buffer):
+        buffer.name = 'foo'
+
+    # Worker
+    run(
+        streamer='worker',
+        _input=incoming_buffer,
+        _output=outgoing_buffer,
+        private_data_dir=worker_dir,
+        envvars={"SUPPRESS_ENV_PRINT": "False"}
+    )
+    outgoing_buffer.seek(0)
+    sent = outgoing_buffer.readline()
+    data = json.loads(sent)
+    assert data["env"]["SUPPRESS_ENV_PRINT"] == str(suppress)