How evaluate environment var created from secret

Drone version

1.6.2

Problem Summary

I am trying to pass in a secret to an Environment Variable that is used by my ansible playbook. However, the conceal feature causes the evaluation of the env var to be [secret:ssh_key] when I grab the env var in my playbook using lookup env var in my hosts file like so: ansible_ssh_private_key_file={{ lookup('env','SSH_KEY') }}

Question

How do I make it so that the actual value gets passed in and not the conceal value?

.drone.yml snippet
- name: Apply ansible playbook using Ansible plugin
  image: plugins/ansible:1
  environment:
    SSH_KEY:
      from_secret: ssh_key
  settings:
    playbook: ansible/playbooks/site.yml
    inventory: ansible/playbooks/inventory/hosts
    vault_password:
      from_secret: ans_vault
  debug: true
Output from drone UI

TASK [Gathering Facts] *********************************************************
13 fatal: [4.4.4.4]: UNREACHABLE! => {“changed”: false, “msg”: “Failed to connect to the host via ssh: Warning: Permanently added ‘4.4.4.4’ (ECDSA) to the list of known hosts.\r\nno such identity: [secret:ssh_key]: No such file or directory\r\[email protected]: Permission denied (publickey).”, “unreachable”: true}

Troubleshooting

I also tried to do below but also resulted in the file containing the concealed secret

echo -n $${SSH_KEY} > /drone/src/ssh_key

The conceal feature only conceals secrets in the logs (e.g. in docker logs it finds and replaces the value). The conceal feature has no actual impact on the secret being properly passed to the environment variable.

Thanks for your speedy response, and got it. It’s just doing a find and replace for log purposes. Totally makes sense.