diff --git a/CHANGELOG.md b/CHANGELOG.md
index f4bee2c67..708d00021 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,28 @@
+Release v0.5.4
+* Embed go-runner into the image ([#426](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/426), @jyotimahapatra)
+* Bump Go to 1.17 in Travis ([#414](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/414), @gliptak)
+* Build multi-arch images ([#417](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/417), @glebiller)
+* Add kind-based development environment ([#422](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/422), @nckturner)
+* Add jaypipes to approvers/reviewers ([#407](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/407), @nckturner)
+* Fix deps ([#396](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/396), @frioux)
+* Fix panic when cache file can't be Stat-ed ([#410](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/410), @sarahhodne)
+* Fix missing status definition in v1 CRD ([#411](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/411), @rifelpet)
+* Use ./hack/install-etcd.sh ([#405](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/405), @nckturner)
+* Run integration tests with per-test role ([#402](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/402), @nckturner)
+* Add a counter for API server watch failures ([#400](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/400), @nckturner)
+* Upgrade CRD manifest to v1 ([#397](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/397), @rifelpet)
+* Move inactives to emeritus_approvers and add active users ([#399](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/399), @nckturner)
+* Fix tests add vendor ([#398](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/398), @nckturner)
+* Integration test framework ([#395](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/395), @nckturner)
+* Add cloudbuild & improvements ([#394](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/394), @nckturner)
+* Fix typo ([#390](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/390), @shyr)
+* *: add user/role subcommands ([#381](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/381), @gyuho)
+* goreleaser: bump release to 0.164.0 and fix config deprecations ([#371](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/371), @antoinedeschenes)
+* Run go mod vendor ([#388](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/388), @nckturner)
+* doc: fix typo in RELEASE.md ([#376](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/376), @stig)
+* [pkg/token]: Update credential API version ([#386](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/386), @micahhausler)
+* Enrich Audit Logs with additional AWS Identity details (via audit logs' "extra" map) ([#372](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/372), @adrianosela)
+
 Release v0.5.3
 * Bump Go to 1.15 in Travis ([#361](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/361), @gliptak)
 * Update aws sdk go v1.37.1 ([#360](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/360), @gaffneyd4)
diff --git a/docs/RELEASE.md b/docs/RELEASE.md
index 0742d63c4..83d97b8d7 100644
--- a/docs/RELEASE.md
+++ b/docs/RELEASE.md
@@ -39,7 +39,7 @@ You also might need to create a release branch, if it doesn't already exist, if
 
 ## Creating the release commit
 
-We need to generate the CHANGELOG for the new release by running `./hack/changelog.py`.  First check the correctness of the output using the `--print-only` flag.  Pass the previous release tag, and the commit SHA of the most recent commit (the new tag will include the changelog, so it hasn't been created yet).
+We need to generate the CHANGELOG for the new release by running `./hack/changelog.py`.  First check the correctness of the output using the `--print-only` flag.  Pass the previous release tag, and the commit SHA of the most recent commit (the new tag will include the changelog, so it hasn't been created yet). The commands use a `--token` field. Generate it from [github personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).
 
 ```
 ./hack/changelog.py --token=$GITHUB_TOKEN --section-title="Release v0.5.2" --range=v0.5.1..90653708db3f6437a446bbeec15b5036db66a855 --print-only