Ansible sudo root hop

Question

My problem is :

As it is usually seen as a bad practice to use root user to connect to a remote machine over ssh, i use a specific unprivileged account to connect to servers.

But for me it is also a bad practice to do all actions as root user. I prefer use applicative users whenever i can.

With ansible i can become root and execute privileged commands with become directive. But is there any mean to become any user with a root 'hop' privilege escalation ?

ie, ssh with ssh-user => become root => become any other user

The other means I see do not satisfy me completely:

become root, use cmd module and use su (which displays the following deprecated message [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running su ) :

cmd: su -c "my_command" app_user become: True become_user: root
add sudoers permission to my ssh-user to become directly all applicative users

Am i missing some way to do this more neatly ?

s.daden s.daden · Accepted Answer · 2017-06-28T14:58:57

You can run your playbook with --ask-become-pass option, as example:

ansible-playbook -i ../inventories/production.ini service_install.yml --ask-become-pass

And in your inventory, here is called production.ini, add your information user for ansible group:

[group1]
182.26.5.159
182.26.5.160
182.26.5.161
...
[group1:vars]
ansible_connection=ssh
ansible_user=appuser                                   # insert your app user here
ansible_ssh_pass=passuser                              # insert your pass here

You can then encrypt your inventory file to keep your password secret, and give the decryption password to your OPs/Sysadmins Teams

ansible-vault encrypt ../inventories/production.in

The final command kept will be:

ansible-playbook -i ../inventories/production.ini service_install.yml --ask-become-pass --ask-vault-pass

Then on your play, you will just need to user "become: yes" option to call your task:

cmd: "my_command" app_user
become: yes

Ansible sudo root hop

2 Answers