Case: a plugin from wordpress.org is installed, it requires an API id and key to use the service, and the author recommendation is to define them as constants in wp-config.php

define( 'PLUGIN_API_KEY_ID',      '*********************' );
define( 'PLUGIN_API_SECRET_KEY',  '*********************' );

How can I set these on group_vars/{environment}/vault.yml so they’re available as constants to Wordpress after deploying?

Edit/ Solution:
1- add to vault_wordpress_sites - { site_key } - env list (case insensitive)
2- deactivate and reactivate the plugin

In the vault you would set the variables like this:

vault_wordpress_sites:
    env:
        plugin_api_key_id: YOUR_KEY_ID
        plugin_api_secret_key: YOUR_SECRET_KEY

Since you would be using Bedrock (implied by use of Trellis), instead of wp-config.php the variables would be stored in .env (at the site root) and if they needed to be manually retrieved you would use env('PLUGIN_API_KEY_ID').

Related docs:

Similar:

Same idea, a little different use case:

https://roots.io/guides/acf-pro-as-a-composer-dependency-with-encrypted-license-key/

I saw the ACF guide and tried it before posting but it didn’t work. I can see the constants in the .env file. Now I suspect the problem could be the plugins fault. In this case Offload S3. Their install guide says the constants should be defined before loading wp-settings.php, and I see config/application.php loads before it and should have the constants defined by the time the wp-settings load. I will keep looking for clues and will update.

Never mind, deactivating and re-activating the plugin does the trick. Issue solved!