What is the difference between ansible's remote_user & become_user

Question

I need to understand the difference between ansible's remote_user & become_user considering that the play will either run locally or remotely.

Difference between:

- hosts: all
  become: yes
  become_user: user1

- hosts: all
  remote_user: user1

Will there be any difference incase ssh keys are setup between the servers ?

I tried to google for the differences but did not find any good explanation for the same.

Answer 1

• The become_user means the user that will execute the playbook, and the remote user will execute it on the remote servers.

• become: yes which will do a sudo to root automatically by default. But then you told it the remote_user: deployer which told the server that the user logging in is deployer and after they log in do the default sudo.

There are stable differences:

• become:yes = . Use sudo and be root by default
• become_user: user1 = Using sudo from become:yes and becoming user user1.
• remote_user: user1 = Log in as foofoo on that remote server.

Answer 2

Q: "Will there be any difference in case ssh keys are set up between the servers?"

A: There will be no difference in privilege between

- hosts: all
  become: yes
  become_user: user1

and

- hosts: all
  remote_user: user1
  become: no

There might be a difference in the environment set for user1 between:

• privilege escalation, e.g. sudo user1 and
• ssh connection to user1@host.

Notes:

• The best practice is not to allow ssh to root
• In most cases, become_user is root (this is also default)
• In most cases, two steps are needed: 1) connect to remote_user@host and 2) escalate privilege to root (become: yes).
• See Risks of becoming an unprivileged user.