I am working to automate our deployment process with ansible but am running into a permissions issue. I have a playbook that uses the raw module to call a deploy.ps1 file that is on a remote windows server. This deploy.ps1 file does some work and then calls an install.ps1 command using the following syntax “Invoke-Command -ComputerName $server -filepath $from\install.ps1 -argumentlist $version,$siteName” The problem is install.ps1 needs to be run as administrator in order to work (it makes some changes to IIS). I can run deploy.ps1 (and install.ps1) from an administrator powershell window but they fail when I run them from a non-admin powershell window.
Is there a way to tell the raw command to run the powershell as admin?
Copied below is the error message.
“stderr”: “[localhost] Connecting to remote server localhost failed with the following \r\nerror message : Access is denied. For more information, see the \r\nabout_Remote_Troubleshooting Help topic.\r\n + CategoryInfo : OpenError: (localhost:String) , PSRemotingTran \r\n sportException\r\n + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken\r\n”,
“stdout”: “\nDeploying EdgeTestTool version:532 to servers: localhost\n\tCopying files to localhost\n\nFile copy complete. Starting install\n\tInstalling on remote server localhost in site Default Web Site\nC:\surescripts\edge\532\archive\EdgeTestTool.Web\obj\x64\Debug\Package\PackageTmp, 532, Default Web Site\r\n\nDone Deploying EdgeTestTool version:532 to servers: localhost\n\n”,
On Windows Vista, and later versions of Windows, to use the ComputerName parameter of Invoke-Command to run a command on the local computer, you must open Windows PowerShell with the “Run as administrator” option.
Not hit this particular problem myself and am not a powershell expert but I have a couple of suggestions.
Last time I tried the raw module I came to the conclusion it was a running something close to a DOS command environment, rather than a powershell environment. So maybe worth trying to turn your ‘raw’ into a ‘script’.
Second (rather vague) suggestion is to make use of groups if possible and perhaps that way you don’t need full administrator permissions, just logging in as a user who has sufficient group access to do whatever you need to to IIS might be enough.
Hope that’s some help, please let us know how you get on, I know I have IIS configuration tasks I want to automate in the future.
Michael from what I can see you’re running a command “through” a (Windows) Ansible node targeting another node ($server)? Why don’t you just run it against $server directly from ansible?
Instead of
Ansible–>Managed Node–>$Server
Just to
Ansible–>$Server
You could be running into the double-hop issue, or it could be that the user setup in your ansible_ssh_user variable is a local user and not a domain one (in which case you can’t use it to invoke a command on a remote computer).
The easiest way to tell what’s going on is to check the security log on your $Server computer.
Sorry I forgot to get back to this post. I ended up following Trond’s suggestion (I was having a double hop auth issue). I now manage my windows servers directly (ie Ansible → $Server no windows server in between).
I’ve also been using the script module instead of raw.
I have almost identical issue.
I am running powershell script on srv01:
get-childitem \srv01\share01
get-childitem \srv02\share02
The first one is executing without issues, but on second one i am receiving Access Denied.
It doesn’t look like double hop trouble, but anyway just in case i’ve enabled PSRemoting and Enable-WsmanCredSSP just in case.
Event log is empty, and there is no difference between those 2 servers, firewall is disabled either.
And anyway, the script is executed with domain admin rights.
The weird thing is that i can execute the get-childitem \srv02\share02 from any machine (including srv01), but not ansible.
Initially the purpose of the script was to copy a file from \srv01 to \srv02, but as i’ve got Access Denied, i decided to run easier command like gci.
Any help/workaround appreciated.
Thx.
So just to sum up:
Ansible–>srv01: You can list stuff in \srv01\ but not \srv02
Are you connecting to srv01 from ansible using a domain account or a local account? If local it’s pretty logical that you have this issue: The user doesn’t have any permissions outside srv01, so that’s the only thing you can see.
For cross-machine boundaries you need to connect using a domain account. Or you can write an Ansible module which takes username/password as a parameter and pass that in (look at the PR for win_package in the “ansible-modules-extras” repo on githug, it has the functionality to get files from a unc share using explicitly defined credentials.