Enhancement request: Ability to mask pillar output in state.apply output

[udf2457]

He ability to secure secrets using gpg and using them in templates with {{ pillar['secret-squirrel'] }}" is great.

However the problem is, that it shows up in logs and outputs, e.g. calling salt 'foobar' state.apply

Maybe we can have a special alias, e.g. pillar-secret which would have identical behaviour to pillar except it would also cause the output to be automagically masked in output from state.apply and similar.

[Akm0d]

If you add --state-output=terse to the state.apply command then no changes will be shown in the output

[udf2457]

@Akm0d That is what I call a workaround, not a solution. ;-)

[Oloremo]

Regarding the outputs Ansible has a no_log feature: https://docs.ansible.com/ansible/latest/reference_appendices/logging.html#protecting-sensitive-data-with-no-log

Which is very useful. I wish it'd be possible to do something like this to arbitrary Salt state.

[tuxthepenguin84]

Also the ability to mask this in the /var/log/salt/events would be great, this would allow external log gathering systems to intake this log for monitoring.

[Akm0d]

Thank you all for the feedback and patience on this! We are officially moving forward with this enhancement.

We are tracking this work internally and plan to implement a context-aware masking wrapper. This will automatically mask sensitive pillar data in both state.apply outputs and Salt event logs (/var/log/salt/events), allowing you to retain detailed state outputs safely without resorting to terse mode. We are also exploring the addition of granular, no_log-style controls based on the feedback here.

This feature is currently targeted for the 3008 release. I am going to close this discussion now as we transition to tracking the active implementation. Thanks again for the great input!