keycloak_user: mark credentials[].value as no_log=True (#11005)

Mark credentials[].value as no_log=True.
2026-03-26 21:33:12 +00:00 · 2025-10-29 17:42:29 +01:00
parent ce0d06b306
commit 54af64ad36
2 changed files with 5 additions and 1 deletions
--- a/changelogs/fragments/11005-keycloak_user.yml
+++ b/changelogs/fragments/11005-keycloak_user.yml
@@ -0,0 +1,4 @@
+security_fixes:
+  - "keycloak_user - the parameter ``credentials[].value`` is now marked as ``no_log=true``. Before it was logged by Ansible, unless the task was marked as ``no_log: true``.
+     Since this parameter can be used for passwords, this resulted in credential leaking
+     (https://github.com/ansible-collections/community.general/issues/11000, https://github.com/ansible-collections/community.general/pull/11005)."
--- a/plugins/modules/keycloak_user.py
+++ b/plugins/modules/keycloak_user.py
@@ -355,7 +355,7 @@ def main():
    argument_spec['auth_username']['aliases'] = []
    credential_spec = dict(
        type=dict(type='str', required=True),
-        value=dict(type='str', required=True),
+        value=dict(type='str', required=True, no_log=True),
        temporary=dict(type='bool', default=False)
    )
    client_consents_spec = dict(