Using Ansible become password in a task

Question

My playbook is invoked with --ask-become-pass. The become password is supplied via an environmental variable on the Control machine.

Everything is working just fine for the many tasks I have which require privilege escalation. However, there's one or two tasks that require the password directly as part of the command. E.g. I was hoping I could use something like: command: /foo/bar autoLoginUser {{ ansible_become_pass }}

...but I get the following: "The task includes an option with an undefined variable. The error was: 'ansible_become_pass' is undefined."

I'd rather not duplicate this password in the Vault if I can help it.

Answer 1

There is another way to supply the become password. As per the documentation:

• providing the --ask-become-pass command line option
• setting the ansible_become_password connection variable

This variable can be set in the inventory, like so:

webserver01 ansible_user=ansible ansible_become_password=secret

Or supplied from the command line instead of --ask-become-pass. Like so:

export MY_PASSWORD=secret
ansible-playbook myplaybook.yml -e "ansible_become_password=$MY_PASSWORD"

Since this variable is now set, you can then have tasks like:

command: "/foo/bar autoLoginUser {{ ansible_become_password }}"