Mise + fnox + macOS Keychain is a great combo for running Ansible with stored, encrypted secrets.
In mise.toml:
[env]
DBSERVER_PW = { value = "{{ exec(command='fnox get DBSERVER') }}", tools = true, redact = true }
In Ansible’s host vars:
my_servers:
hosts:
dbserver:
ansible_become_password: "{{ lookup('ansible.builtin.env', 'DBSERVER_PW') }}"
Now you can run ansible-playbook and friends without hardcoding your sudo passwords anywhere!