Ansible is a great orchestration-tool, and while it has it’s own secure password storage system (Vault), I prefer to use ‘pass’ from http://passwordstore.org

There is no specific ‘pass’ plugin for ansible, but using the ‘pipe’ lookup plugin works quite well

tasks:
  - name: Debug
      debug: msg={{lookup('pipe', 'pass some/password/i/need') }}

This can then be used to store API keys, passwords for various accounts, or other information that needs to remain secret while still being able to share and version your ansible plays.

Update 2017: There is now a passwordstore lookup-plugin for ansible