Ansible - become directives in ansible.cfg

If you are not familiar with "become", check out Ansible - Understanding Become Privilege Escalation.

Let's say John Doe has been granted access to issue the reboot command using sudo. Let's say john.doe attempts to reboot server1 using the shell module and sudo.

- hosts: all
    - name: "reboot using sudo"
      shell: "sudo reboot"


Assuming the following option is commented out in ansible.cfg or set to true . . .

# command_warnings = False


. . . and you are not using the warn parameter, like this . . .

- name: "reboot using sudo"
  shell: "sudo reboot"
  warn: "false"


Invoking the play should return the following warning. 

[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo


As the warning suggests, "become" should be used. There are different ways to use "become":


Here is how to use the become parameters in ansible.cfg. 

However, you may want to avoid this approach, as this would enable become for any playbook, which may be too permissive. 

Likewise, there will probably be cases where you want to use become a user other than John Doe, thus is usually is preferred to use the become command line flags or become parameters.

become_user: john.doe
become_method: sudo
become_pass: your_password


Notice in this example that "sudo" is still used. This is because this example is using the shell module.

- name: "use the shell module, become root, sudo reboot"
  shell: "sudo reboot"


When using some other module, such as the file module, there is no need (or way) to use sudo without become.

- name: "mkdir /tmp/example"
    path: "/tmp/example"
    state: "directory"


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 4e32e in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |