[PR #11005/54af64ad backport][stable-9] keycloak_user: mark credentials[].value as no_log=True (#11010)

patchback[bot] · felixfontein · web-flow · commit ae6fa9a6841d · 2025-10-29T17:15:24.000Z
keycloak_user: mark credentials[].value as no_log=True (#11005) Mark credentials[].value as no_log=True. (cherry picked from commit 54af64a) Co-authored-by: Felix Fontein <felix@fontein.de>
diff --git a/changelogs/fragments/11005-keycloak_user.yml b/changelogs/fragments/11005-keycloak_user.yml
@@ -0,0 +1,4 @@
+security_fixes:
+  - "keycloak_user - the parameter ``credentials[].value`` is now marked as ``no_log=true``. Before it was logged by Ansible, unless the task was marked as ``no_log: true``.
+     Since this parameter can be used for passwords, this resulted in credential leaking
+     (https://github.com/ansible-collections/community.general/issues/11000, https://github.com/ansible-collections/community.general/pull/11005)."
diff --git a/plugins/modules/keycloak_user.py b/plugins/modules/keycloak_user.py
@@ -360,7 +360,7 @@ def main():
     argument_spec['auth_username']['aliases'] = []
     credential_spec = dict(
         type=dict(type='str', required=True),
-        value=dict(type='str', required=True),
+        value=dict(type='str', required=True, no_log=True),
         temporary=dict(type='bool', default=False)
     )
     client_consents_spec = dict(

Original file line number	Diff line number	Diff line change
`@@ -360,7 +360,7 @@ def main():`
`360`	`360`	`argument_spec['auth_username']['aliases'] = []`
`361`	`361`	`credential_spec = dict(`
`362`	`362`	`type=dict(type='str', required=True),`
`363`		`- value=dict(type='str', required=True),`
	`363`	`+ value=dict(type='str', required=True, no_log=True),`
`364`	`364`	`temporary=dict(type='bool', default=False)`
`365`	`365`	`)`
`366`	`366`	`client_consents_spec = dict(`