'community.aws.aws_ssm' connection will not change/become user

Funnionz · May 29, 2024, 8:30am

Hi,

Despite efforts, I cannot get the ‘community.aws.aws_ssm’ connection to ‘become’ any other user when connecting to an EC2 via SSM.

I can connect to the host fine, but any attempt to become root fails. Example tests:

- name: Run 'whoami' command
  become: true
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output


- name: Run 'whoami' command again
  become: true
  become_user: root
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output

The results of these and other tests all come back the same: user being ‘ssm_user’. The ‘ssm_user’ definitely does have the permission to elevate to root and can do so manually on the instance fine.

Is anyone else experiencing the same?

motorbass · May 29, 2024, 9:50am

Hi
Did you try to add become_method: su or sudo in your task to check if results is the same or different ?

I assume when you switch from ssm_user to root manually you run something like su or su - right?

Funnionz · May 31, 2024, 2:52am

Thanks for the response.

I have tried ‘become_method’ of ‘sudo’ and ‘su’, both have no impact.

I have also tried using ‘shell’ instead of ‘command’ as well as other tasks, again the user remains as ‘ssm-user’.

motorbass · May 31, 2024, 7:38am

Weird… I assume your root account is configured with a password too ?

Are you able to test it by providing the root password into ansible_become_password in your vars ?

Then try again with your current tasks, then with become_method and see if results is the same for those scenarios.

Funnionz · June 4, 2024, 3:21am

Root account isnt configured with a password in my case. Connecting via SSM as ssm-user then elevating has always been the way.

This seems to be an issue with the plugin itself, as when I just use the ‘shell’ module and run the same commands with sudo in front it works fine. But any use of ‘become’ after connecting via the SSM plugin does not work at all.

Funnionz · June 12, 2024, 7:28am

Sorry, does anyone have any answer on this at all?

MattLehner · July 28, 2025, 11:13pm

This is an old thread now, but posting an update for anyone who comes across it.

We are running ansible inside AWS CodeBuild, with the aws_ssm connection plugin and a custom SSM Document that specifies runAsEnabled = true and runAsDefaultUser = "ssm-user".

By default CodeBuild runs all commands as root, and aws_ssm will set remote_user = root since it uses the user running ansible instead of the runAsDefaultUser user from the SSM document. Because of this, ansible thinks the remote is using root and skips become. We had been using running ansible with aws_ssm successfully in development and EC2 instances in production, so it was confusing why it was failing when we moved to CodeBuild.

Setting the following environment variable worked for us.

ANSIBLE_BECOME_ALLOW_SAME_USER=1

Topic		Replies	Views
Facing issues with ssh connection as user root Ansible Project	7	11	April 26, 2021
Does Ansible have to run as root? sudo and --become-user Ansible Project	4	194	September 13, 2016
How to run "sudo command" as ssh user without switching to become_user? Ansible Project	4	41	March 2, 2018
Ansible unable to run command by becoming other user and using sudo Ansible Project	4	45	May 14, 2020
Trying to use become Get Help ansible-core , aws	4	455	October 19, 2024

'community.aws.aws_ssm' connection will not change/become user

Related topics