How should I use sudo_user and sudo together when logging in as a non-root user and switching to another user?

Archives Ansible Project
1

Hi there,

Can someone give me some pointers as to why an ansible role using sudo_user below would complain about missing sudo passwords, when I’m able to:

  1. ssh in as one non-root user (in this case, chris)

  2. use sudo su deploy_user to switch to that deploy user

  3. call sudo ls to run a command with sudo, without needing to provide a password

I’m using Ansible 1.8.2, and deploying to an Ubuntu machine on Google Cloud Platform, and below is the relevant task I’m trying to run as well as my sudoers file.

If I want to log in with one non-root user, then run other commands as a deploy user, how else should I be doing this?

The best workaround I can think of at present is to execute the tasks as a login user, but make sure I set the owner and group as extra parameters for file or template tasks.

Many thanks,

Chris

tasks.yml


- name: put envdirs directory in place
file: >
path=~/path/to/envdir/
state=directory
mode=775
sudo: yes
sudo_user: "{{ deploy_user }}"
tags:
- debug

- name: drop envdir vars in directory
template: >
src=envdir_var.j2
dest=~/path/to/envdir//{{ item.env_var }}
with_items:
- { env_var: AWS_ACCESS_KEY_ID, env_val: "{{ aws_access_key }}" }
- { env_var: AWS_SECRET_ACCESS_KEY, env_val: "{{ aws_secret_key }}" }
- { env_var: AWS_DEFAULT_REGION, env_val: "{{ aws_region }}" }
- { env_var: PGUSER, env_val: "{{ app }}" }
- { env_var: PGPASSWORD, env_val: "{{ app }}" }
sudo: yes
sudo_user: "{{ deploy_user }}"

sudoers


~~~

# This file MUST be edited with the 'visudo' command as root.

#

# Please consider adding local content in /etc/sudoers.d/ instead of

# directly modifying this file.

#

# See the man page for details on how to write a sudoers file.

#

Defaults        env_reset

Defaults        mail_badpass

Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

 

# Host alias specification

 

# User alias specification

 

# Cmnd alias specification

 

# User privilege specification

root    ALL=(ALL:ALL) ALL

 

# Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL

 

# Allow members of group sudo to execute any command

%sudo   ALL=(ALL:ALL) ALL

 

# See sudoers(5) for more information on "#include" directives:

 

#includedir /etc/sudoers.d

chris ALL=NOPASSWD: ALL

 

# this gives more access than I'd like to deploy_user, but ansible is

# still bitching about the deploy_user not having a sudo password

deploy_user ALL=NOPASSWD: ALL
2

Hi Chris, are you specifying the remote_user value, or does the current user running Ansible on the controller match the remote user on the target system?