Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.
Acknowledgments: Name: Abhijeet Kasurde (Red Hat)
related: https://github.com/ansible/ansible/issues/56269 https://github.com/ansible/ansible/pull/59427
https://github.com/ansible/ansible-stage/pull/7
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2019:2543 https://access.redhat.com/errata/RHSA-2019:2543
This issue has been addressed in the following products: Red Hat Ansible Engine 2.8 for RHEL 7 Red Hat Ansible Engine 2.8 for RHEL 8 Via RHSA-2019:2542 https://access.redhat.com/errata/RHSA-2019:2542
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10217
Statement: Ansible shipped with Red Hat Ceph Storage 3; Red Hat OpenStack 10, 13, and 14; and Ansible Engine 2.6 and 2.7 are not vulnerable as they do not include the cred_type implementation (service_account_contents).