Best Practice for Ansbile Connection with Vault as "Credential Provider"?

Hello there,

i’ve a question to Vault and Ansible. We’re building a new Plattform that will be deployed mostly with Terraform and Ansible.

What is the best practice to connect to the host? We have configured our test environment to use otp. But sometime, when Ansible has to do Task on Host A then Host B and then again Host A it will make a new connection. But while it used a OTP it can’t use the same passwort again.
On the other hand with certificates i don’t have that nice audit by vault, because i only see that the cert get signed but not on which host the certificate was used.

Other Solution would be to let terraform generate a pair of keys for each host on deployment and store those keys in the vault. Deployment of the key could be done via cloud.init . Update or Revoke of the keys would need an ansible playbook.

How do you use Ansible and Vault together?