diff --git a/ironic/conductor/utils.py b/ironic/conductor/utils.py
index 2d97d655c3..ee14dce50f 100644
--- a/ironic/conductor/utils.py
+++ b/ironic/conductor/utils.py
@@ -15,8 +15,7 @@
 import contextlib
 import datetime
 from distutils.version import StrictVersion
-import random
-import string
+import secrets
 import time
 
 from openstack.baremetal import configdrive as os_configdrive
@@ -1019,9 +1018,7 @@ def add_secret_token(node, pregenerated=False):
                          order to facilitate virtual media booting where
                          the token is embedded into the configuration.
     """
-    characters = string.ascii_letters + string.digits
-    token = ''.join(
-        random.SystemRandom().choice(characters) for i in range(128))
+    token = secrets.token_urlsafe()
     i_info = node.driver_internal_info
     i_info['agent_secret_token'] = token
     if pregenerated:
diff --git a/ironic/tests/unit/conductor/test_utils.py b/ironic/tests/unit/conductor/test_utils.py
index 6a437debe2..23127efe27 100644
--- a/ironic/tests/unit/conductor/test_utils.py
+++ b/ironic/tests/unit/conductor/test_utils.py
@@ -2030,8 +2030,7 @@ class AgentTokenUtilsTestCase(tests_base.TestCase):
     def test_add_secret_token(self):
         self.assertNotIn('agent_secret_token', self.node.driver_internal_info)
         conductor_utils.add_secret_token(self.node)
-        self.assertEqual(
-            128, len(self.node.driver_internal_info['agent_secret_token']))
+        self.assertIn('agent_secret_token', self.node.driver_internal_info)
 
     def test_del_secret_token(self):
         conductor_utils.add_secret_token(self.node)
diff --git a/releasenotes/notes/use_secrets_to_generate_token-55af0f43e5a80b9e.yaml b/releasenotes/notes/use_secrets_to_generate_token-55af0f43e5a80b9e.yaml
new file mode 100644
index 0000000000..609c48e7bc
--- /dev/null
+++ b/releasenotes/notes/use_secrets_to_generate_token-55af0f43e5a80b9e.yaml
@@ -0,0 +1,9 @@
+---
+security:
+  - |
+    The secret token that is used for IPA verification will be generated by
+    the secrets module to be in compliance with the FIPS 140-2.
+fixes:
+  - |
+    The secret token that is used for IPA verification will be generated using
+    the secrets module.