ansible-collections · softwarefactory-project-zuul · Aug 30, 2023 · Aug 30, 2023
diff --git a/changelogs/fragments/doc_update_for_keypair_nolog.yml b/changelogs/fragments/doc_update_for_keypair_nolog.yml
@@ -0,0 +1,3 @@
+---
+trivial:
+- Update the document to use no_log and register when creating a new keypair.
diff --git a/plugins/modules/ec2_key.py b/plugins/modules/ec2_key.py
@@ -49,6 +49,8 @@
     version_added: 3.1.0
 notes:
   - Support for I(tags) and I(purge_tags) was added in release 2.1.0.
+  - For security reasons, this module should be used with B(no_log=true) and (register) functionalities
+    when creating new key pair without providing key_material.
 extends_documentation_fragment:
   - amazon.aws.common.modules
   - amazon.aws.region.modules
@@ -64,8 +66,11 @@
 # Note: These examples do not set authentication details, see the AWS Guide for details.
 
 - name: create a new EC2 key pair, returns generated private key
+  # use no_log to avoid private key being displayed into output
   amazon.aws.ec2_key:
     name: my_keypair
+  no_log: true
+  register: aws_ec2_key_pair
 
 - name: create key pair using provided key_material
   amazon.aws.ec2_key: