As we learned in Chapter 1, The System Architecture and Design of Ansible, Ansible will combine module code and arguments and write this out to a temporary directory on the remote host. This means your secret data is transferred over the wire and written to the remote filesystem. Unless you are using a connection plugin other than SSH or SSL-encrypted winrm, the data over the wire is already encrypted, preventing your secrets from being discovered by simple snooping. If you are using a connection plugin other than SSH, be aware of whether or not data is encrypted while in transit. Using any connection method that is not encrypted is strongly discouraged.

Once the data is transmitted, Ansible may write this data out in clear form to the filesystem. This can happen if pipelining (which we learned about in Chapter 1, The System Architecture and Design of Ansible) is not in use, or if Ansible has been instructed to leave remote files in place via the ANSIBLE_KEEP_REMOTE_FILES environment variable. Without pipelining, Ansible will write out the module code, plus arguments, into a temporary directory that is to be deleted upon execution. Should there be a loss of connectivity between writing out the file and executing it, the file will be left on the remote filesystem until manually removed. If Ansible is explicitly instructed to keep remote files in place, then, even if pipelining is enabled, Ansible will write out and leave a remote file in place. Care should be taken with these options when dealing with highly sensitive secrets, even though typically, only the user Ansible logs in as on the remote host (or becomes via privilege escalation) should have access to the leftover file. Simply deleting anything in the ~/.ansible/tmp/ path for the remote user will suffice to clean secrets.