If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.

The ansible-vault command can be used to perform a number of tasks.

• ansible-vault create - create an encrypted file
• ansible-vault decrypt - decrypt and encrypted file
• ansible-vault edit - edit an encrypted file
• ansible-vault encrypt - encrypt a non-encrypted file
• ansible-vault encrypt_string - encrypt a string
• ansible-vault rekey - change password used to view or decrypt an encrypted file
• ansible-vault view - view the cleartext contents of an encryped file

Additionally, there are a few command line options to be aware of.

• --ask-vault-pass - prompt for the vault password
• --vault-id - use a specific users password in a file
• --vault-password-file - use a single password in a file

This assumes you have created the Ansible Vault password file. Let's say the password file is:

/usr/local/vault/.vault_password.txt

A vault password file can be used to provide the vault password when:

• Copying an encrypted file to managed nodes using the copy module
• Creating a new encrypted file using the ansible-vault create command
• Creating an encrypted key:value pair using the ansible-vault encrypt_string command
• Decrypting an encrypted file using the ansible-vault decrypt command
• Editing an encrypted file using the ansible-vault edit command
• Encrypting an unencrypted file using the ansible-vault encrypt command
• Viewing the content of an encrypted file using the ansible-vault view command

You could define vault_password_file in your ansible.cfg file.

[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt

Then you can view an encrypted file (vault.yml) without having to include the --vault-password-file or --vault-id command line options.

ansible-vault view vault.yml