I am just starting to use AWX. Our goal is to automate some playbooks to be executed at specific times, and AWX seemed like the logical place to do run these from. For this purpose, we created a user account on our target hosts that only uses SSH keys for authentication, there is not password for the account. The private key is safely stored away in a password vault or inside of AWX, and it is not written to disk anywhere else. This seems to work very well…until I tried to do privilege escalation with sudo. As I mentioned, the account is password-less, and we want to keep it that way. That means that there is no password for sudo to use. But AWX seems to insist that it MUST enter a password for all privilege escalation, even though I have configured sudoers to not require a password for this account:
umgmt ALL = NOPASSWD: /bin/sh -c echo BECOME-SUCCESS-* ; /usr/bin/python
This works perfectly with plain vanilla ansible (the private key is stored into ssh-agent):
ansible testserver -u umgmt -b -m shell -a id
testserver | CHANGED | rc=0 >>
uid=0(root) gid=0(root) groups=0(root)
But if I try to run the same command through AWX, it fails with the message “Missing sudo password”.
I tried setting ‘become_flags = -H -S’ in ansible.cfg, but then I got the message “Timeout (12s) waiting for privilege escalation prompt:” Basically, AWX really, really wants to enter a password for sudo whether one is needed or not.
So, is there some recommended method of telling AWX not to enter a password for privilege escalation?
how are you trying to elevate your access? try using the becom command in your script:
https://docs.ansible.com/ansible/2.3/become.html
Actually upon reading this a bit closer. Let me clarify my response. for the user account that is running this, I assume you configured it in awx as a user. under the privilege escalation method, are you using sudo? if so try switching it to run as, or if you do not want to put the escalation method in the user account, you can put it in the script itself using the become command.
That is correct, I setup a umgmt account in “Credentials” in AWX. I set “PRIVILEGE ESCALATION METHOD” to sudo, “PRIVILEGE ESCALATION USERNAME” to root, and I left “PRIVILEGE ESCALATION PASSWORD” blank. That results in commands failing with the “Missing sudo password” message when I tick the “ENABLE PRIVILEGE ESCALATION” box in the “EXECUTE COMMAND” page. I changed the method to “runas”, but then there is no escalation at all; it just runs as the umgmt user.
Runas appears to be a Microsoft thing, and I am in a Unix/Linux environment. I have a healthy mix of IBM, RedHat, and Suse, so what ever method I use has to work on all of those.
I guess there must not be an answer to this since I have not received anything that I can use. AWX just insists on a sudo password whether one is needed or not. A major deficiency in my opinion.
Sorry I haven’t had a chance to test this for myself. It should be possible, but I can’t confirm without finding some time to test. Day job keeps me from having time to test things outside of that.
Is your user’s default shell bash or sh?
In sudoers i see you are using sh: umgmt ALL = NOPASSWD: /bin/sh -c echo BECOME-SUCCESS-* ; /usr/bin/python
However, if your user’s default shell is something else in /etc/passwd (and it usually is bash), the ansible shell module will use that.
Ironically, shortly after posting my last message, it started to work. I do not know what changed, but I no longer get the “Missing sudo password” message. It just executes the playbook as expected with no further prompting, and no password in the credentials. Somewhere along the line I must have ticked a box or clicked a save button I previously missed, or something, but I cannot see anything different now.This is my first experience with AWX, so there is a big learning curve here. I spent many, many hours trying to solve this issue myself before I finally decided to ask for help from the forum. I feel that time was not totally lost as it forced me to dig deep into the application and learn more about how to use it. But it is disconcerting to have systems mysteriously fix themselves. I find that to almost be more frustrating than not being able to solve it in the first place. I do not know if this is going to happen again or just continue to work as expected after this.
I have worked with Ansible for several years and consider myself to be fairly knowledgeable about it. I consider it to be a very useful and powerful tool, but I also find it to be very frustrating at times! And I still do not know why AWX is working now and would not before!