For the best security, use Ansible Vault to encrypt the file. […]
To encrypt the file with Vault, run:
ansible-vault encrypt vars/api_key.yml
Enter a secure password for the file, and Ansible will encrypt it.
An Ansblevault is a YAMLvariablesfile or inventory group or per-host variable file to be referenced in a playbook, that has been encrypted using the ansible-vaultcommand. A secret is a variable definition within a variable file that has been made into a vault.
Encrypting via ansible-vault involves using the subcommandencrypt with a file path to a YAML variables file (Geerling 2023, 104-105):
ansible-vault encrypt $PATH_TO_VAR_FILE
Then, when running the playbook that makes use of the given vault one would need to use the flagask-vault-pass on the ansible-playbook command (refer to 20250514154644-Running_Ansible_Playbooks) (Geerling 2023, 105):
Alternatively, a text file can be used to store the password for the vault, in which case it should have strict permissions similar to that of secure SSH keys found in the directory path ~/.ssh in Linux in addition to not checking them into source or version control (Geerling 2023, 106). This file can then be used in place of typing in the password when prompted (Ibid):