diff --git a/ironic/drivers/modules/agent_client.py b/ironic/drivers/modules/agent_client.py
index b5b6c3c1a5..6de28e785a 100644
--- a/ironic/drivers/modules/agent_client.py
+++ b/ironic/drivers/modules/agent_client.py
@@ -593,7 +593,7 @@ class AgentClient(object):
         """
         params = {
             'step': step,
-            'node': node.as_dict(secure=True),
+            'node': node.as_dict(secure=True, mask_configdrive=False),
             'ports': [port.as_dict() for port in ports],
             'deploy_version': node.driver_internal_info.get(
                 'hardware_manager_version')
diff --git a/ironic/objects/node.py b/ironic/objects/node.py
index 013d1b50d6..c8f79f2868 100644
--- a/ironic/objects/node.py
+++ b/ironic/objects/node.py
@@ -168,13 +168,17 @@ class Node(base.IronicObject, object_base.VersionedObjectDictCompat):
         'network_data': object_fields.FlexibleDictField(nullable=True),
     }
 
-    def as_dict(self, secure=False):
+    def as_dict(self, secure=False, mask_configdrive=True):
         d = super(Node, self).as_dict()
         if secure:
             d['driver_info'] = strutils.mask_dict_password(
                 d.get('driver_info', {}), "******")
-            d['instance_info'] = strutils.mask_dict_password(
-                d.get('instance_info', {}), "******")
+            iinfo = d.pop('instance_info', {})
+            if not mask_configdrive:
+                configdrive = iinfo.pop('configdrive', None)
+            d['instance_info'] = strutils.mask_dict_password(iinfo, "******")
+            if not mask_configdrive and configdrive:
+                d['instance_info']['configdrive'] = configdrive
             d['driver_internal_info'] = strutils.mask_dict_password(
                 d.get('driver_internal_info', {}), "******")
         return d
diff --git a/ironic/tests/unit/objects/test_node.py b/ironic/tests/unit/objects/test_node.py
index dd23995b9d..a9dd2684b2 100644
--- a/ironic/tests/unit/objects/test_node.py
+++ b/ironic/tests/unit/objects/test_node.py
@@ -61,6 +61,18 @@ class TestNodeObject(db_base.DbTestCase, obj_utils.SchemasTestMixIn):
         # Ensure the node can be serialised.
         jsonutils.dumps(d)
 
+    def test_as_dict_secure_with_configdrive(self):
+        self.node.driver_info['ipmi_password'] = 'fake'
+        self.node.instance_info['configdrive'] = 'data'
+        self.node.driver_internal_info['agent_secret_token'] = 'abc'
+        d = self.node.as_dict(secure=True, mask_configdrive=False)
+        self.assertEqual('******', d['driver_info']['ipmi_password'])
+        self.assertEqual('data', d['instance_info']['configdrive'])
+        self.assertEqual('******',
+                         d['driver_internal_info']['agent_secret_token'])
+        # Ensure the node can be serialised.
+        jsonutils.dumps(d)
+
     def test_as_dict_with_traits(self):
         self.fake_node['traits'] = ['CUSTOM_1']
         self.node = obj_utils.get_test_node(self.ctxt, **self.fake_node)
diff --git a/releasenotes/notes/deploy-step-configdrive-86ea2bb267211b88.yaml b/releasenotes/notes/deploy-step-configdrive-86ea2bb267211b88.yaml
new file mode 100644
index 0000000000..e3751665a9
--- /dev/null
+++ b/releasenotes/notes/deploy-step-configdrive-86ea2bb267211b88.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    No longer masks configdrive when sending the node's record to in-band
+    deploy steps.