Switching user in playbook

I need to switch users in a playbook: first I need to do some tasks as a root user then I need to change to a limited user and do the rest with that.

My playbook looks like this:

  • name: Preparation
    vars:

  • ansible_ssh_user: root

  • ansible_ssh_private_key_file: ~/.ssh/site-root

  • name: Main play
    vars:

  • ansible_ssh_user: ci

  • ansible_ssh_private_key_file: ~/.ssh/site-ci

This works but I feel that nasty (poor design):

  • redundant configuration (in hosts and 2 plays)
  • need to switch and then switch back

What is the Best practice to achieve that?

the remote_user: directive can be used at play and task level to
change this, no need to use vars: unless your hosts have those set in
inventory (which overrides remote_user).

Thanks for the tip, but how can I set the credentials for alternative user?

Now I have only one user set in hosts file:

ansible-sandbox ansible_ssh_host=ansible-sandbox.local ansible_ssh_user=ci ansible_ssh_private_key_file=~/.ssh/ci

  1. május 29., péntek 17:56:28 UTC+2 időpontban Brian Coca a következőt írta:

One question and one issue:

  1. question (above):
    How can I set the credentials for alternative user?

  2. issue:
    playbook:

  • name: Preparation

remote_user: root

vars:

  • ansible_ssh_private_key_file: ~/.ssh/site-root

  • name: Main play

remote_user: ci

Does not work: ‘Main play’ will be executed as root user

If I put the following at the end:

  • ansible_ssh_private_key_file: ~/.ssh/site-ci

…then I get the following error:

SSH Error: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

So root user is stucked somehow… and one cannot authenticate root with ci’s key.

Regards:
Bence

  1. május 29., péntek 18:15:19 UTC+2 időpontban Bence Takács a következőt írta:

what version of ansible? os? python?

switching users seems to be working fine for me.

… but where do you store the alternative user’s credentials?

2015.05.29. 19:27 ezt írta (“Brian Coca” <bcoca@ansible.com>):

i use an ssh agent

Well, actually it’s Windows with babun (cygwin) and python 2.7.x
Do you think this is because of the OS?

SSH agent? Is hat work for private keys too? Or just for passwords? I suspects that more than the OS

Regards:
Bence

2015.05.29. 20:40 ezt írta (“Brian Coca” <bcoca@ansible.com>):

Probably a combination of issues, there is some success running
ansible on cygwin but also many problems, this is not a supported
platform

Thanks, Brian

With ssh-agent I reduced my ‘hosts’ file radically, and removed the ‘ansible_ssh_private_key_file’ declarations from the plays.

But I still cannot use the ‘remote_user’ in plays, instead I need to add the ‘ansible_ssh_user’ variable.

This is my first cygwin-related issue with ansible.

Regards:
Bence

  1. május 30., szombat 3:10:21 UTC+2 időpontban Brian Coca a következőt írta:

Hmmm… I cannot solve the issue, but now instead of using ssh agent I just set up my ~/.ssh/config correctly - and workining fine

  1. június 1., hétfő 9:51:05 UTC+2 időpontban Bence Takács a következőt írta: