if you want to save your configuration from your running instances, you will save it in to a repository. At the most common repository at the moment is git. In the end I will have over 150 config files with different credentials. But nobody should save credentials directly in to a git repo.
How to protect the api key? How to protect the default user vyos encrypted-password
I build a CI pipline that generates two config files from a template, for each vyos that running in ha mode.
These two files are packed in to iso file for cloudinit for bootstrapping for the first installation.
In production changes on the config template file are submit over the API, after generating for each vyos.
Use a Vault? other suggestions