Finally succeed to setup what I need according to this blog.
I already use AppRole so the thing was just to “inject” custom credential (vault URL + roleID/secretID) from AWX to my running project.
- From an AWX perspective, I simply created new credential type as mentionned here again.
INPUT Configuration
fields:
- id: vault_server
type: string
label: URL for Vault Server
- id: vault_role_id
type: string
label: Vault AppRole ID
- id: vault_secret_id
type: string
label: Vault Secret ID
secret: true
required:
- vault_server
Injector Configuration
env:
VAULT_ADDR: '{{ vault_server }}'
VAULT_ROLE_ID: '{{ vault_role_id }}'
VAULT_SECRET_ID: '{{ vault_secret_id }}'
VAULT_AUTH_METHOD: approle
- From a YAML perspective, all my projects vars embbed :
vars:
#Those 2 vars will lookup for ENV variables we setup through AWX
approle_id: "{{ lookup('env','VAULT_ROLE_ID') }}"
approle_secret_id: "{{ lookup('env','VAULT_SECRET_ID') }}"
# This one "mount" the connection with my Vault with dedicated AppRole
my_secret_vault: "{{ lookup('community.hashi_vault.vault_kv2_get', 'my_secret', engine_mount_point='kv/', auth_method='approle', role_id=approle_id, secret_id=approle_secret_id) }}"
# This one retrieve the key's data based on my query
my_key: "{{ my_secret_vault.secret.my_key_id }}"
So now you just need to fill the correct Vault URL + roleID + secret ID from your AWX GUI and here you go 
PS : no matter if you’re using AppRole or simply token, the method works the same, you just need to adapt your injector Configuration.