ansible · relrod · Feb 5, 2021 · Feb 5, 2021
diff --git a/changelogs/fragments/new-nolog-entries.yml b/changelogs/fragments/new-nolog-entries.yml
@@ -32,6 +32,7 @@ security_fixes:
   - iap_start_workflow - `token_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
   - ibm_sa_host - `iscsi_chap_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
   - keycloak_client - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - keycloak_client - `registration_access_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
   - keycloak_clienttemplate - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
   - keycloak_group - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
   - librato_annotation - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

diff --git a/lib/ansible/modules/identity/keycloak/keycloak_client.py b/lib/ansible/modules/identity/keycloak/keycloak_client.py
@@ -681,7 +681,7 @@ def main():
         enabled=dict(type='bool'),
         client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']),
         secret=dict(type='str', no_log=True),
-        registration_access_token=dict(type='str', aliases=['registrationAccessToken']),
+        registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True),
         default_roles=dict(type='list', aliases=['defaultRoles']),
         redirect_uris=dict(type='list', aliases=['redirectUris']),
         web_origins=dict(type='list', aliases=['webOrigins']),