How it works..

We use the ansible-vault command to create a new file that is encrypted using a key specified by -- vault-id. We place this key/password in another file (which is called decrypt_passwd in our example) and we pass this file as an argument to vault-id. Inside this file, we can place as many variables as we need. Finally, we include this file as a variable file in the playbook using vars_files. The following is the content of the secret file in case we try to read it without decryption:

$ cat secrets
$ANSIBLE_VAULT;1.1;AES256
61383264326363373336383839643834386661343630393965656135666336383763343938313963
3538376230613534323833356237663532666363626462640a663839396230646634353839626461
31336461386361616261336534663137326265363261626536663564623764663861623735633865
3033356536393631320a643561623635363830653236633833383531366166326566623139633838
32633335616663623761313630613134636635663865363563366564313365376431333461623232
34633838333836363865313238363966303466373065356561353638363731616135386164373263
666530653334643133383239633237653034

In order for Ansible to decrypt this file, we must supply the decryption password (stored in a decrypt_passwd file in this example) via the --vault-id option. When we run ansible-playbook, we must supply this decryption password, otherwise the ansible-playbook fails, as shown here:

### Running the Ansible playbook without --vault-id 
$ansible-playbook ansible_vault.yml -i hosts
ERROR! Attempting to decrypt but no vault secrets found