update docs to include section on sensitive-variables array

This commit is contained in:
Megan Marsh 2018-08-21 10:40:33 -07:00
parent 8a6441a7a5
commit 1a04b2a31a
1 changed files with 26 additions and 0 deletions

View File

@ -206,6 +206,32 @@ Results in the following variables:
| aws\_access\_key | foo | | aws\_access\_key | foo |
| aws\_secret\_key | baz | | aws\_secret\_key | baz |
# Sensitive Variables
If you use the environment to set a variable that is sensitive, you probably
don't want that variable printed to the Packer logs. You can make sure that
sensitive variables won't get printed to the logs by adding them to the
"sensitive-variables" list within the Packer template:
``` json
{
"variables": {
"my_secret": "{{env `MY_SECRET`}}",
"not_a_secret": "plaintext",
"foo": "bar"
},
"sensitive-variables": ["my_secret", "foo"],
...
}
```
The above snippet of code will function exactly the same as if you did not set
"sensitive-variables", except that the Packer UI and logs will replace all
instances of "bar" and of whatever the value of "my_secret" is with
`<sensitive>`. This allows you to be confident that you are not printing
secrets in plaintext to our logs by accident.
# Recipes # Recipes
## Making a provisioner step conditional on the value of a variable ## Making a provisioner step conditional on the value of a variable