Credentials management with Embedded Ansible

Hi there. I’m pretty new on ManageIQ. I’m trying to figure out how to manage secrets/credentials with Ansible playbboks.

Here is my case. I have multiple Openshift cluster. Each cluster could be attached to a “location”.
I would like to get the token of the cluster depending of the selected location from the dialog.

How I’m supposed to manage it with Embedded Ansible? The only way is to store my tokens in a variable file and vault them?

Like:

ocp_token_location_map:
  locationA:
    token: XXXX  # here I use vault
    url: openshift-a.domain.com
  locationB:
    token: XXXX  # here I use vault
    url: openshift-b.domain.com

I would like to split this kind of variable from my core repository that perform actions on the clusters. I should add a task that will git clone the variables?

Or maybe I should use here generic objects?

Thanks for any advice.