Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Specify sudo password for Ansible

Tags:

ansible

People also ask

How do I specify sudo password in Ansible?

Providing the sudo Password If the remote user needs to provide a password in order to run sudo commands, you can include the option --ask-become-pass to your Ansible command. This will prompt you to provide the remote user sudo password: ansible all -m ping --ask-become-pass.

How do I add sudo to Ansible?

To create a user with sudo privileges is to put the user into /etc/sudoers , or make the user a member of a group specified in /etc/sudoers . And to make it password-less is to additionally specify NOPASSWD in /etc/sudoers . And instead of fiddling with /etc/sudoers file, we can create a new file in /etc/sudoers.

How do you pass Ansible inventory password?

The docs say you can specify the password via the command line: -k , --ask-pass . Ansible can also store the password in the ansible_password variable on a per-host basis. Probably you will need to give a read at this too.

The docs strongly recommend against setting the sudo password in plaintext, and instead using --ask-sudo-pass on the command line when running ansible-playbook

2016 Update:

Ansible 2.0 (not 100% when) marked --ask-sudo-pass as deprecated. The docs now recommend using --ask-become-pass instead, while also swapping out the use of sudo throughout your playbooks with become.


You can pass variable on the command line via --extra-vars "name=value". Sudo password variable is ansible_sudo_pass. So your command would look like:

ansible-playbook playbook.yml -i inventory.ini --user=username \
                              --extra-vars "ansible_sudo_pass=yourPassword"

Update 2017: Ansible 2.2.1.0 now uses var ansible_become_pass. Either seems to work.

Update 2021: ansible_become_pass is still working, but for now, we should use -e instead of --extra-vars


Probably the best way to do this - assuming that you can't use the NOPASSWD solution provided by scottod - is to use Mircea Vutcovici's solution in combination with Ansible vaultArchived.

For example, you might have a playbook something like this:

- hosts: all

  vars_files:
    - secret

  tasks:
    - name: Do something as sudo
      service: name=nginx state=restarted
      sudo: yes

Here we are including a file called secret which will contain our sudo password.

We will use ansible-vault to create an encrypted version of this file:

ansible-vault create secret

This will ask you for a password, then open your default editor to edit the file. You can put your ansible_sudo_pass in here.

e.g.: secret:

ansible_sudo_pass: mysudopassword

Save and exit, now you have an encrypted secret file which Ansible is able to decrypt when you run your playbook. Note: you can edit the file with ansible-vault edit secret (and enter the password that you used when creating the file)

The final piece of the puzzle is to provide Ansible with a --vault-password-file which it will use to decrypt your secret file.

Create a file called vault.txt and in that put the password that you used when creating your secret file. The password should be a string stored as a single line in the file.

From the Ansible Docs:

.. ensure permissions on the file are such that no one else can access your key and do not add your key to source control

Finally: you can now run your playbook with something like

ansible-playbook playbook.yml -u someuser -i hosts --sudo --vault-password-file=vault.txt

The above is assuming the following directory layout:

.
|_ playbook.yml
|_ secret
|_ hosts
|_ vault.txt

You can read more about Ansible Vault here: https://docs.ansible.com/playbooks_vault.htmlArchived

https://docs.ansible.com/ansible/latest/user_guide/vault.html


Looking at the code (runner/__init__.py), I think you can probably set it in your inventory file :

[whatever]
some-host ansible_sudo_pass='foobar'

There seem to be some provision in ansible.cfg config file too, but not implemented right now (constants.py).


I don't think ansible will let you specify a password in the flags as you wish to do. There may be somewhere in the configs this can be set but this would make using ansible less secure overall and would not be recommended.

One thing you can do is to create a user on the target machine and grant them passwordless sudo privileges to either all commands or a restricted list of commands.

If you run sudo visudo and enter a line like the below, then the user 'privilegedUser' should not have to enter a password when they run something like sudo service xxxx start:

%privilegedUser ALL= NOPASSWD: /usr/bin/service

Related questions

Override hosts variable of Ansible playbook from the command line
What's the easy way to auto create non existing dir in ansible
Ansible - Use default if a variable is not defined
Variable that has the path to the current ansible-playbook that is executing?
How to set host_key_checking=false in ansible inventory file?
How to run a task when variable is undefined in ansible?
How to automatically install Ansible Galaxy roles?
How to do multiline shell script in Ansible
How do you stop Ansible from creating .retry files in the home directory?
How to switch a user per task or set of tasks?
How to check if a file exists in Ansible?
How to get the host name of the current machine as defined in the Ansible hosts file?
ansible: lineinfile for several lines?
What's the difference between defaults and vars in an Ansible role?
Where can I get a list of Ansible pre-defined variables?
Ansible: How to delete files and folders inside a directory?
Ansible fails with /bin/sh: 1: /usr/bin/python: not found
How to ignore ansible SSH authenticity checking?
How to run only one task in ansible playbook?
How to move/rename a file using an Ansible task on a remote system

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!