Vault (or otherwise protect) tower_cli.cfg

I have a playbook that is using the awx.awx.job_template module and it creates a new job template.

In order that is has the proper permissions, it requires a custom tower_cli.cfg file with a user and pwd.

I am running from AWX and the playbooks, etc are sourced from git.

My play book resides in a subfolder of a repo and I (after some trial and error) the tower_cli.cfg must reside in the repo root.

It all works great... until I try and protect the tower_cli.cfg by encrypting it with ansible-vault.

Other vaulted files used in the play tasks have no issue - but when when tower_cli.cfg is vaulted, ansible appears not to attempt decryption and it gets an error showing the lines with errors and they are all the hashes from the encryption.

I also tried storing variables in a vars file that was vaulted and using templating format in the tower_cli.cfg - it didn't seem to substitute as it does in other files.

I tried tempfile and built a tower_cli.cfg, but even trying to specify the path - since the playbook is sourced from a git repo - it does not work. It is looking in git - not on the drive of the ansible server.

I need a way to hide the credentials in the tower_cli.cfg which is stored in git but apparently cannot be vaulted.

Any assistance with this would be greatly appreciated