diff --git a/ansible/roles/kolla-ansible/library/kolla_passwords.py b/ansible/roles/kolla-ansible/library/kolla_passwords.py
index 47e1979b0..be461a92b 100644
--- a/ansible/roles/kolla-ansible/library/kolla_passwords.py
+++ b/ansible/roles/kolla-ansible/library/kolla_passwords.py
@@ -111,13 +111,13 @@ def kolla_passwords(module):
     temp_file_path = create_named_tempfile()
     try:
         # Start with kolla's sample password file.
-        shutil.copy2(module.params['sample'], temp_file_path)
+        shutil.copyfile(module.params['sample'], temp_file_path)
 
         # If passwords exist, decrypt and merge these in.
         if module.params['src'] and os.path.isfile(module.params['src']):
             src_path = create_named_tempfile()
             try:
-                shutil.copy2(module.params['src'], src_path)
+                shutil.copyfile(module.params['src'], src_path)
                 if module.params['vault_password']:
                     vault_decrypt(module, src_path)
                 kolla_mergepwd(module, src_path, temp_file_path, temp_file_path)
@@ -142,7 +142,7 @@ def kolla_passwords(module):
             if module.params['vault_password']:
                 dest_path = create_named_tempfile()
                 try:
-                    shutil.copy2(module.params['dest'], dest_path)
+                    shutil.copyfile(module.params['dest'], dest_path)
                     vault_decrypt(module, dest_path)
                     checksum_dest = module.sha1(dest_path)
                 finally:
@@ -162,10 +162,10 @@ def kolla_passwords(module):
         if changed and not module.check_mode:
             module.atomic_move(temp_file_path, module.params['dest'])
     except Exception as e:
-        try:
+        module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e))
+    finally:
+        if os.path.isfile(temp_file_path):
             os.unlink(temp_file_path)
-        finally:
-            module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e))
 
     if not module.check_mode:
         # Update the file's attributes.
diff --git a/releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml b/releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml
new file mode 100644
index 000000000..8dafda545
--- /dev/null
+++ b/releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml
@@ -0,0 +1,25 @@
+---
+security:
+  - |
+    Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
+    where if the contents of the file have not changed, a plain text copy of the
+    file would be left in /tmp on the Ansible control host.
+
+    The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
+    user that runs kayobe, with permissions 664 (rw-rw-r--).
+
+    It is recommended to check any systems on which Kayobe has been run for
+    copies of the passwords file in /tmp. A simple check for this is `grep -rn
+    database_password /tmp`.
+fixes:
+  - |
+    Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
+    where if the contents of the file have not changed, a plain text copy of the
+    file would be left in /tmp on the Ansible control host.
+
+    The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
+    user that runs kayobe, with permissions 664 (rw-rw-r--).
+
+    It is recommended to check any systems on which Kayobe has been run for
+    copies of the passwords file in /tmp. A simple check for this is `grep -rn
+    database_password /tmp`.