If you are not familiar with "become", check out Ansible - Understanding Become Privilege Escalation.

When using "become" to perform a task that requires privilege escalation, there are scenario's where you need to pass in the become password. For example, let's say become is being used to reboot a system.

---
- hosts: all
  tasks:
    - name: "reboot using sudo"
      shell: "sudo reboot"
      warn: no
      become: yes

In this scenario, the --ask-become-pass command line flag is commonly used to pass in John Doe's password.

[john.doe server1]# ansible-playbook playbook.yml --become-ask-pass

Which would produce a prompt for John Doe's password.

BECOME password:

An alternative approach is to use the --vault-password-file command line option to pass in John Doe's password. First, the ansible-vault create command must be used to create an encrypted file that contain's John Doe's password. In this example, two passwords will be created.

• .become_password.txt will be secure by some random password - let's say the password is "foo"
• .become_password.txt will contain John Doe's password - let's say the password is "bar"

ansible-vault create .become_password.txt

A second file will be created. In this example, the second file is named .vault_password.txt.

touch .vault_password.txt

Ensure only the owner of the file and create and write to the file.

chmod 0600 .vault_password.txt

Append your vault password to the hidden password file ("foo" in this example).

echo "itsasecret" > .vault_password.txt

Now you can invoke the ansible-playbook command with the --vault-password-file option followed by .vault_password.txt to pass in John Doe's password. The play should be executed without being prompted for the become password.

ansible-playbook playbook.yml --vault-password-file .vault_password.txt