If you are not familiar with "become", check out Ansible - Understanding Become Privilege Escalation.
Let's say John Doe has been granted access to issue the reboot command using sudo. Let's say john.doe attempts to reboot server1 using the shell module and sudo.
---
- hosts: all
tasks:
- name: "reboot using sudo"
shell: "sudo reboot"
Assuming the following option is commented out in ansible.cfg or set to true . . .
# command_warnings = False
. . . and you are not using the warn parameter, like this . . .
- name: "reboot using sudo"
shell: "sudo reboot"
warn: "false"
Invoking the play should return the following warning.
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo
As the warning suggests, "become" should be used. There are different ways to use "become":
- Use the become command line flags - this will take precendence over all other approaches
- Use the become parameters in a playbook
- Use the become connection variables (that's what we will describe in this article)
- Use the become directives in ansible.cfg (uncommon)
Here is how to setup become in the default hosts file or your own inventory file, like this.
However, you may want to avoid this approach, as this would enable become for any playbook that uses the default hosts file or inventory file, which may be too permissive.
Likewise, there will probably be cases where you want to use become a user other than John Doe, thus is usually is preferred to use the become command line flags or become parameters.
ansible_become: yes
ansible_become_user: john.doe
ansible_become_pass: your_password
However, if neither of these option are preferred, you can use --vault-password-file option, and then invoke the playbook like this.
ansible-playbook playbook.yml --vault-password-file /path/to/.vault_password.txt
Did you find this article helpful?
If so, consider buying me a coffee over at