Running Ansible task as a specific user
Running Ansible task as a specific user
https://serverfault.com/questions/662443/running-ansible-task-as-a-specific-user
Asked 10 years, 11 months ago Modified 3 years, 3 months ago Viewed 228k times 46
I am trying to run a specific Ansible task as a different user than the one who is running the playbook. My .yml file looks like this:
- hosts: staging_servers
tasks:
- name: check user remote_user: someusername shell: whoami Running this task shows me that whoami command returns a different user than I defined in the task (precisely, returns the user which is defined in hosts file called ubuntu).
I also tried to define the task like this:
- hosts: staging_servers
tasks:
- name: check user sudo: yes sudo_user: someusername shell: whoami but then I get ‘Missing sudo password’ error, although there is a line in sudoers file which says someusername ALL=(ALL) NOPASSWD:ALL and issuing commands with sudo on remote machine as someusername doesn’t ask me for a password.
So, how can I run the specific task as a different user which is not the user defined in hosts file or root himself?
permissionssudoansible Share Improve this question Follow asked Jan 26, 2015 at 15:36 errata’s user avatar errata 59311 gold badge66 silver badges99 bronze badges Add a comment 3 Answers Sorted by:
Highest score (default) 31
You’re misunderstanding both settings there:
remote_user is an Ansible setting that controls the SSH user Ansible is using to connect: ssh ${REMOTE_USER}@remotehost
someusername ALL=(ALL) NOPASSWD:ALL is a sudo configuration that allows the user someusername to execute all commands in any host without a password. It does not allow anyone to issue commands as someusername though.
Ideally, you would login directly as the right user and that’s what remote_user is all about. But usually you are only able to login as an administrative user (say, ubuntu) and have to sudo commands as another user (let’s say scrapy). Then you should leave remote_user to the user that logs in and the add the following ansible properties to the job:
- name: log in as ubuntu and do something as scrapy remote_user: ubuntu sudo: true sudo_user: scrapy shell: do-something.sh Share Improve this answer Follow edited Jan 27, 2015 at 16:32 answered Jan 26, 2015 at 16:21 Capi Etheriel’s user avatar Capi Etheriel 46855 silver badges1010 bronze badges 3 I see. Thanks a lot for clarifying this! But how to run a specific task as a specific user then? – errata CommentedJan 26, 2015 at 16:23 2 Note that remote_user defaults to the current user in your local machine – just as ssh does, actually. – Capi Etheriel CommentedJan 26, 2015 at 16:26 Alright, but with a setup like this I still get ‘Missing sudo password’ error. Is there a way to avoid asking for password for that specific user? – errata CommentedJan 26, 2015 at 16:35 I think I found the answer, adding the line to sudoers: ubuntu ALL=(someusername) NOPASSWD: ALL, but I have to think about the security behind this… Is there any other way except adding this line to sudoers? – errata CommentedJan 26, 2015 at 17:02 2 the proper way would be to let your remote user to login directly. – Capi Etheriel CommentedJan 26, 2015 at 19:52 Show 2 more comments 46
Note that after Ansible 1.9, the sudo wording was replaced with become, thus
sudo: yes sudo_user: some_user becomes (pun intended):
become: yes become_user: some_user See more specifics here: https://stackoverflow.com/a/22749788/402727
Also write this before the actual module (e.g. command or shell) you want to execute for it to take effect. At least in my experience it didn’t work correctly if I have written become and become_user after the shell module.
- name: Example user change become: true become_user: ‘{{ user }}’ shell: | … Share Improve this answer Follow edited Nov 26, 2020 at 9:06 AdamKalisz’s user avatar AdamKalisz 10755 bronze badges answered Dec 6, 2015 at 8:36 ex-nerd’s user avatar ex-nerd 56144 silver badges33 bronze badges Add a comment 6
As ex-nerd pointed out already, you have to use the become module nowadays. Further more, to get exactly what OP wants, use su as the become method:
- name: check user become: yes become_user: someusername become_method: su become_flags: ‘–login’ shell: whoami become_flags: ‘–login’ makes sure that you login as it would happen manually, e. g. also loading .profile etc.
If you did not already define a become password for the user who logs in to the host, you can do it at task level via vars:
- name: check user become: yes become_user: someusername become_method: su become_flags: ‘–login’ vars: ansible_become_pass: <Password of ‘ubuntu’ in OP’s case> shell: whoami If you login to the host using one user (with sudo privilege) and want to execute something as another user (that may not have a password), add the following line to the above:
become_exe: ‘sudo -p “Password: “ su -‘ Share Improve this answer Follow edited Sep 8, 2022 at 15:17 answered Jul 11, 2022 at 14:54 stackprotector’s user avatar stackprotector 78744 gold badges1616 silver badges29