You can use atk-git-diff utility from https://github.com/dellis23/ansible-toolkit

So after some digging I constructed the non-trivial solution.

First of all store your vault password into the (.gitignored) .vault_password file.

In the following example a HEAD and HEAD~2 versions of the file inventory/group_vars/xyz/vault.yml are vimdiff-ed:

vimdiff \
  <(ansible-vault view --vault-password-file=.vault_password \
    <(git show HEAD:inventory/group_vars/xyz/vault.yml)) \
  <(ansible-vault view --vault-password-file=.vault_password \
    <(git show HEAD~2:inventory/group_vars/xyz/vault.yml))

For completeness, it's worth to mention how to configure the diff for ansible-vaulted files globally. For example, I work with really a lot of ansible repositories over here and almost all of them have some vaulted secrets. So what I want is my configuration to be global and portable from one machine to another.

In your ~/.gitconfig add these sections:

[core]
    # The following line defines a global .gitattributes file
    attributesfile = ~/.gitattributes

[diff "ansible-vault"]
    textconv = "ansible-vault view"

For this to work, you need some naming pattern for ansible-vaulted files, which is something good that you should do anyways. In my case, I like to name them with the extension .vault.yml. So my ~/.gitattributes file looks like this:

*.vault.yml diff=ansible-vault merge=binary

Finally, to avoid typing the password all the time, make sure you have a file in a convenient place in each repository (normally something like .vault, placed at the root). This file must contain the password in plain text (properly .gitignored, of course) or an executable script that produces such password.

Having that in place, go ahead and tell ansible to use the .vault file, by adding the following line to the global or local ansible.cfg:

vault_password_file = .vault

Done. Now running git diff will produce the readable diff that you would expect from non-vaulted files :)

You can do this very neatly, so that the normal git tools like git log and git diff can see inside the vaulted files, using a custom git diff driver and .gitattributes.

• Make sure that your vault password is in .vault_password and that that file is not committed - you should also add it to .gitignore.

• Add a .gitattributes file that matches any files in your repository that are encrypted with ansible-vault and give them the attribute diff=ansible-vault. For example, I have:

  env_vars/production.yml diff=ansible-vault merge=binary
  env_vars/staging.yml diff=ansible-vault merge=binary
  

  You can also use wildcarded patterns - the first element of each line, the pattern, follows the same rules as .gitignore files. The merge=binary option tells git not to attempt to do a three-way merge of these files.

• Then you have to set the diff driver for files with attribute diff=ansible-vault to ansible-vault view:

  git config --global diff.ansible-vault.textconv "ansible-vault view"
  

And that should be it - when git is calculating diffs of the files your pattern matches, it'll decrypt them first.