If you are not familiar with "become", check out Ansible - Understanding Become Privilege Escalation.
When using "become" to perform a task that requires privilege escalation, there are scenario's where you need to pass in the become password. For example, let's say become is being used to reboot a system.
- hosts: all
- name: "reboot using sudo"
shell: "sudo reboot"
In this scenario, the --ask-become-pass command line flag is commonly used to pass in John Doe's password.
[john.doe server1]# ansible-playbook playbook.yml --become-ask-pass
Which would produce a prompt for John Doe's password.
An alternative approach is to use the --vault-password-file command line option to pass in John Doe's password. First, the ansible-vault create command must be used to create an encrypted file that contain's John Doe's password. In this example, two passwords will be created.
- .become_password.txt will be secure by some random password - let's say the password is "foo"
- .become_password.txt will contain John Doe's password - let's say the password is "bar"
ansible-vault create .become_password.txt
A second file will be created. In this example, the second file is named .vault_password.txt.
Ensure only the owner of the file and create and write to the file.
chmod 0600 .vault_password.txt
Append your vault password to the hidden password file ("foo" in this example).
echo "itsasecret" > .vault_password.txt
Now you can invoke the ansible-playbook command with the --vault-password-file option followed by .vault_password.txt to pass in John Doe's password. The play should be executed without being prompted for the become password.
ansible-playbook playbook.yml --vault-password-file .vault_password.txt