The results of these and other tests all come back the same: user being ‘ssm_user’. The ‘ssm_user’ definitely does have the permission to elevate to root and can do so manually on the instance fine.
Root account isnt configured with a password in my case. Connecting via SSM as ssm-user then elevating has always been the way.
This seems to be an issue with the plugin itself, as when I just use the ‘shell’ module and run the same commands with sudo in front it works fine. But any use of ‘become’ after connecting via the SSM plugin does not work at all.
This is an old thread now, but posting an update for anyone who comes across it.
We are running ansible inside AWS CodeBuild, with the aws_ssm connection plugin and a custom SSM Document that specifies runAsEnabled = true and runAsDefaultUser = "ssm-user".
By default CodeBuild runs all commands as root, and aws_ssm will set remote_user = root since it uses the user running ansible instead of the runAsDefaultUser user from the SSM document. Because of this, ansible thinks the remote is using root and skips become. We had been using running ansible with aws_ssm successfully in development and EC2 instances in production, so it was confusing why it was failing when we moved to CodeBuild.
Setting the following environment variable worked for us.