diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml
index 9ed08ddf9..f95ec97ca 100644
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -87,6 +87,7 @@
   args:
     executable: /bin/bash
   register: etcd_master_cert_data
+  no_log: true
   check_mode: no
   delegate_to: "{{groups['etcd'][0]}}"
   when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
@@ -98,6 +99,7 @@
   args:
     executable: /bin/bash
   register: etcd_node_cert_data
+  no_log: true
   check_mode: no
   delegate_to: "{{groups['etcd'][0]}}"
   when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
@@ -109,6 +111,7 @@
   shell: "base64 -d <<< '{{etcd_master_cert_data.stdout|quote}}' | tar xz -C {{ etcd_cert_dir }}"
   args:
     executable: /bin/bash
+  no_log: true
   changed_when: false
   when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
         inventory_hostname != groups['etcd'][0]
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
index fd6e485df..cd742d647 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -80,6 +80,7 @@
   shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"
   args:
     executable: /bin/bash
+  no_log: true
   register: master_cert_data
   check_mode: no
   delegate_to: "{{groups['kube-master'][0]}}"
@@ -90,6 +91,7 @@
   shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_node_certs|join(' ') }} | base64 --wrap=0"
   args:
     executable: /bin/bash
+  no_log: true
   register: node_cert_data
   check_mode: no
   delegate_to: "{{groups['kube-master'][0]}}"
@@ -116,6 +118,7 @@
 
 - name: Gen_certs | Unpack certs on masters
   shell: "base64 -d < {{ cert_tempfile.stdout }} | tar xz -C {{ kube_cert_dir }}"
+  no_log: true
   changed_when: false
   check_mode: no
   when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
@@ -133,6 +136,7 @@
   shell: "base64 -d <<< '{{node_cert_data.stdout|quote}}' | tar xz -C {{ kube_cert_dir }}"
   args:
     executable: /bin/bash
+  no_log: true
   changed_when: false
   check_mode: no
   when: inventory_hostname in groups['kube-node'] and