diff --git a/changelogs/fragments/pull_file_secrets.yml b/changelogs/fragments/pull_file_secrets.yml
new file mode 100644
index 00000000000..d8ea3554904
--- /dev/null
+++ b/changelogs/fragments/pull_file_secrets.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-pull will now correctly handle become and connection password file options for ansible-playbook.
diff --git a/lib/ansible/cli/pull.py b/lib/ansible/cli/pull.py
index 695cc266a31..41521aa7045 100755
--- a/lib/ansible/cli/pull.py
+++ b/lib/ansible/cli/pull.py
@@ -274,8 +274,15 @@ class PullCLI(CLI):
             for vault_id in context.CLIARGS['vault_ids']:
                 cmd += " --vault-id=%s" % vault_id
 
+        if context.CLIARGS['become_password_file']:
+            cmd += " --become-password-file=%s" % context.CLIARGS['become_password_file']
+
+        if context.CLIARGS['connection_password_file']:
+            cmd += " --connection-password-file=%s" % context.CLIARGS['connection_password_file']
+
         for ev in context.CLIARGS['extra_vars']:
             cmd += ' -e %s' % shlex.quote(ev)
+
         if context.CLIARGS['become_ask_pass']:
             cmd += ' --ask-become-pass'
         if context.CLIARGS['skip_tags']:
diff --git a/test/integration/targets/ansible-pull/pull-integration-test/conn_secret.yml b/test/integration/targets/ansible-pull/pull-integration-test/conn_secret.yml
new file mode 100644
index 00000000000..f8849730e91
--- /dev/null
+++ b/test/integration/targets/ansible-pull/pull-integration-test/conn_secret.yml
@@ -0,0 +1,12 @@
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - ping: data='{{ansible_password}}'
+      register: dumb
+      vars:
+        ansible_python_interpreter: '{{ansible_playbook_python}}'
+
+    - name: If we got here, password was passed!
+      assert:
+        that:
+          - "dumb.ping == 'Testing123'"
diff --git a/test/integration/targets/ansible-pull/pull-integration-test/secret_connection_password b/test/integration/targets/ansible-pull/pull-integration-test/secret_connection_password
new file mode 100644
index 00000000000..44e6a2c4252
--- /dev/null
+++ b/test/integration/targets/ansible-pull/pull-integration-test/secret_connection_password
@@ -0,0 +1 @@
+Testing123
diff --git a/test/integration/targets/ansible-pull/runme.sh b/test/integration/targets/ansible-pull/runme.sh
index 347971a4fd8..87f61a6ade2 100755
--- a/test/integration/targets/ansible-pull/runme.sh
+++ b/test/integration/targets/ansible-pull/runme.sh
@@ -36,7 +36,8 @@ function pass_tests {
 	fi
 
 	# test for https://github.com/ansible/ansible/issues/13681
-	if grep -E '127\.0\.0\.1.*ok' "${temp_log}"; then
+	# match play default output stats, was matching limit + docker
+	if grep -E '127\.0\.0\.1\s*: ok=' "${temp_log}"; then
 	    cat "${temp_log}"
 	    echo "Found host 127.0.0.1 in output. Only localhost should be present."
 	    exit 1
@@ -84,4 +85,6 @@ pass_tests
 
 ANSIBLE_CONFIG='' ansible-pull -d "${pull_dir}" -U "${repo_dir}" "$@" multi_play_1.yml multi_play_2.yml | tee "${temp_log}"
 
-pass_tests_multi
\ No newline at end of file
+pass_tests_multi
+
+ANSIBLE_CONFIG='' ansible-pull -d "${pull_dir}" -U "${repo_dir}" conn_secret.yml --connection-password-file "${repo_dir}/secret_connection_password" "$@"