Ansible - Become and --vault-password-file command line option

If you are not familiar with "become", check out Ansible - Understanding Become Privilege Escalation.

When using "become" to perform a task that requires privilege escalation, there are scenario's where you need to pass in the become password. For example, let's say become is being used to reboot a system.

- hosts: all
    - name: "reboot using sudo"
      shell: "sudo reboot"
      warn: no
      become: yes


In this scenario, the --ask-become-pass command line flag is commonly used to pass in John Doe's password.

[john.doe server1]# ansible-playbook playbook.yml --become-ask-pass


Which would produce a prompt for John Doe's password.

BECOME password:


An alternative approach is to use the --vault-password-file command line option to pass in John Doe's password. First, the ansible-vault create command must be used to create an encrypted file that contain's John Doe's password. In this example, two passwords will be created.

  • .become_password.txt will be secure by some random password - let's say the password is "foo"
  • .become_password.txt will contain John Doe's password - let's say the password is "bar"
ansible-vault create .become_password.txt


A second file will be created. In this example, the second file is named .vault_password.txt.

touch .vault_password.txt


Ensure only the owner of the file and create and write to the file.

chmod 0600 .vault_password.txt


Append your vault password to the hidden password file ("foo" in this example).

echo "itsasecret" > .vault_password.txt


Now you can invoke the ansible-playbook command with the --vault-password-file option followed by .vault_password.txt to pass in John Doe's password. The play should be executed without being prompted for the become password.

ansible-playbook playbook.yml --vault-password-file .vault_password.txt


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 862f6 in the box below so that we can be sure you are a human.