diff --git a/roles/trigger-readthedocs/README.rst b/roles/trigger-readthedocs/README.rst
index 6a1e6af78..f584b5613 100644
--- a/roles/trigger-readthedocs/README.rst
+++ b/roles/trigger-readthedocs/README.rst
@@ -16,20 +16,23 @@ Trigger readthedocs build for a project
    This may come from a secret, however it can not be triggered
    without authentication.
 
-.. zuul:rolevar:: rtd_integration_token
+.. zuul:rolevar:: rtd_credentials
 
-   The webhook integration token.  You'll find this value on the
-   project's "Integrations" dashboard page in RTD.  This is expected
-   to come from a secret.  This can be used instead of
-   username/password combo.
-
-.. zuul:rolevar:: rtd_username
-
-   The readthedocs username.  If set, this will be used to
-   authenticate in preference to any token set via
-   ``rtd_integration_token``.
-
-.. zuul:rolevar:: rtd_password
-
-   Password for ``rtd_username``.  Must be set if password is set.
+   Complex argument which contains the RTD authentication credentials.
    This is expected to come from a secret.
+
+  .. zuul:rolevar:: integration_token
+
+     The webhook integration token.  You'll find this value on the
+     project's "Integrations" dashboard page in RTD.  This can be used
+     instead of username/password combo.
+
+  .. zuul:rolevar:: username
+
+     The readthedocs username.  If set, this will be used to
+     authenticate in preference to any token set via
+     ``rtd_integration_token``.
+
+  .. zuul:rolevar:: password
+
+     Password for ``username``.  Must be set if username is set.
diff --git a/roles/trigger-readthedocs/tasks/main.yaml b/roles/trigger-readthedocs/tasks/main.yaml
index 181220056..4a061049d 100644
--- a/roles/trigger-readthedocs/tasks/main.yaml
+++ b/roles/trigger-readthedocs/tasks/main.yaml
@@ -5,28 +5,30 @@
 
 - name: Check for an authentication type
   fail:
-    msg: Must set either rtd_username or rtd_integration_token
-  when: (rtd_username is not defined) and (rtd_integration_token is not defined)
+    msg: Must set either rtd_credentials.username or rtd_credentials.integration_token
+  when: (rtd_credentials.username is not defined) and (rtd_credentials.integration_token is not defined)
 
-- when: rtd_username is defined
+- when: rtd_credentials.username is defined
   block:
     - name: Require password
       fail:
-        msg: rtd_password is required when using rtd_username
-      when: rtd_password is not defined
+        msg: password is required when using rtd_credentials.username
+      when: rtd_credentials.rtd_password is not defined
 
     - name: Trigger readthedocs build webhook via authentication
       uri:
         method: POST
         url: 'https://readthedocs.org/api/v2/webhook/{{ rtd_project_name }}/{{ rtd_webhook_id }}/'
-        user: '{{ rtd_username }}'
-        password: '{{ rtd_password }}'
+        user: '{{ rtd_credentials.username }}'
+        password: '{{ rtd_credentials.password }}'
         # NOTE(ianw): testing it seems the API doesn't respond with
         # 401 so this is required
         force_basic_auth: yes
+      # avoid logging any credentials
+      no_log: true
 
-- when: rtd_integration_token is defined and
-        rtd_username is not defined
+- when: rtd_credentials.integration_token is defined and
+        rtd_credentials.username is not defined
   block:
     - name: Trigger readthedocs build webhook via token
       uri:
@@ -34,5 +36,7 @@
         url: 'https://readthedocs.org/api/v2/webhook/{{ rtd_project_name }}/{{ rtd_webhook_id }}/'
         body_format: form-urlencoded
         body:
-          token: '{{ rtd_integration_token }}'
+          token: '{{ rtd_credentials.integration_token }}'
           follow_redirects: all
+      # avoid logging any credentials
+      no_log: true