Bootstrap FreeKB - Ansible - become command line (--become --become-user --become-method --ask-become-pass --become-flags)
Ansible - become command line (--become --become-user --become-method --ask-become-pass --become-flags)

Updated:   |  Ansible articles

If you are not familiar with "become", check out Ansible - Understanding Become Privilege Escalation.

Let's say John Doe has been granted access to issue the reboot command using sudo. Let's say john.doe attempts to reboot server1 using the shell module and sudo.

- hosts: all
    - name: "reboot using sudo"
      shell: "sudo reboot"


Assuming the following option is commented out in ansible.cfg or set to true . . .

# command_warnings = False


. . . and you are not using the warn parameter, like this . . .

- name: "reboot using sudo"
  shell: "sudo reboot"
  warn: "false"


Invoking the play should return the following warning. 

[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo


As the warning suggests, "become" should be used. There are different ways to use "become":


Here is how to use the "--become" command line flag.

ansible-playbook playbook.yml --become


When using some other module, such as the file module . . .

- name: "mkdir /tmp/example"
    path: "/tmp/example"
    state: "directory"


you would then also use the "--become_method" command line flag.

ansible-playbook playbook.yml --become --become-method=sudo


Assuming ansible.cfg does not contain the following . . . 

become_pass: your_password


Let's say the playbook is invoked like this.

ansible-playbook playbook.yml


The following will be returned.

sudo: a password is required


There are a few ways to address this.


The --ask-become-pass flag should produce a prompt asking for your password.

BECOME password:



The only time that the "--become_user" command line flag must be used is when you want to become some other user. For example, let's say John Doe has been granted permission to the reboot command, and Jane Doe is invoking the playbook. In this scenario, the "become_user" parameter can be used so that Jane Doe can become John Doe. Of course, this assumes that Jane Doe will also be able to pass in John Doe's password, as described above.

[jane.doe server1]# ansible-playbook playbook.yml --become --become-user=john.doe



Be aware that if the remote_user parameter is being used, and the remote_user is not the user you want to become, then you will need to use the --become_user command line flag.

- hosts: all
  remote_user: jane.doe
   - file:
       path: "/etc/foo"
       state: directory


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Add a Comment

Please enter 95bb9c in the box below so that we can be sure you are a human.