Windows become help

Fracture7144 · June 4, 2026, 7:38pm

I am beginning to test windows tasks with ansible. I have created a new Credential type called WinRM and populated it with the following input config:

fields:
- id: windows_username
type: string
label: Username
- id: windows_password
type: string
label: Password
secret: true
- id: windows_domain
type: string
label: Domain
required:
- windows_username
- windows_password
- windows_domain

Injector config:
env:
WINDOWS_DOMAIN: '{{ windows_domain }}'
WINDOWS_PASSWORD: '{{ windows_password }}'
WINDOWS_USERNAME: '{{ windows_username }}'
extra_vars:
ansible_windows_user: '{{ windows_username }}'
ansible_windows_domain: '{{ windows_domain }}'
ansible_windows_password: '{{ windows_password }}'

I am trying to install/deploy vcert as a test to a test windows server.
Here is the task in my role:
---
- name: Check current user identity
ansible.windows.win_whoami:
register: current_user

- name: Display current user
ansible.builtin.debug:
msg: "Connected as {{ current_user.account.account_name }}"

- name: Create directory structure
ansible.windows.win_file:
path: C:\venafi
state: directory

- name: Download vcert application
ansible.windows.win_get_url:
url: https://nexus.exmaple.com/repository/venafi/vcert_v5.10.0_windows.zip
dest: C:\venafi\vcert_v5.10.0_windows.zip

- name: Unzip vcert application
community.windows.win_unzip:
src: C:\venafi\vcert_v5.10.0_windows.zip
dest: C:\venafi\

- name: Rename vcert
ansible.windows.win_file:
path: 'C:\venafi\vcert.exe'
dest: 'C:\venafi\vcert_v5.9.0_windows.exe'
state: "hard"

- name: Create an application shortcut for an executable in PATH to your desktop
community.windows.win_shortcut:
src: 'C:\venafi\vcert_v5.9.0_windows.exe'
dest: 'C:\venafi\vcert.exe'

It keeps failing with the following error:
task path: /runner/project/playbook.yml:2
fatal: [test01.example.com]: FAILED! => {
"msg": "No setting was provided for required configuration plugin_type: become plugin: runas setting: become_user "
}

I don’t understand why. I have tried adding the become statements in there for ansible, but those fail as well.

Ray · June 5, 2026, 9:21am

Why did you create a new credential type for this? If you’re using AAP or AWX, the “Machine” credential type is available for this use case.

Are you using Become in Play Level? If so, you have to set a become user; look at the run_as documentation for more information. Setting become_user is required.

iwt-cmd · June 5, 2026, 2:05pm

@Fracture7144, if you haven’t already, I would take a look at the managing Windows with Ansible guide as it has a lot of info on setting up WinRM correctly, auth via Kerberos/NTLM/etc… and common issues.
Managing Windows hosts with Ansible — Ansible Community Documentation
Windows Remote Management — Ansible Community Documentation
A couple of gotchas that aren’t 100% obvious until you start working with it:

If you are using AAP/AWX, you will need to setup Kerberos within your container image so you can auth to the domain and configure the krb5.conf to point to your PDC
Your domain name generally needs to be in all caps if you are using Kerberos auth (i.e. admin@example.com will not work, needs to be admin@EXAMPLE.COM)
You will most likely need some additional extra vars (we apply at the inventory level) to indicate that you want to use WinRM instead of SSH for the connection and that the connection is Kerberos/Basic/NTLM/CredSSP
ansible_connection: winrm
ansible_winrm_transport: basic|certificate|kerberos|ntlm|credssp
ansible_winrm_server_cert_validation: ignore <<< Only use this if you have untrusted/self-signed certs for WinRM

Fracture7144 · June 5, 2026, 3:03pm

Hi all,
Thanks for the quick response on this. I have moved over to a Machine credential and that works. However I am getting the following error:

task path: /runner/project/playbook.yml:2
fatal: [windows01.example.com]: FAILED! => {"msg": "No setting was provided for required configuration plugin_type: become plugin: runas setting: become_user "}

Do I need to set this in playbook?  Can it not be set a as variable in the task it is about to run?

Ray · June 5, 2026, 3:10pm

You can also set it in the machine cred. There, select “become_method = run_as” and set the “become_user” variable.

You can also set this at the task level.

Personally, I would set those variables in the machine credentials and only set become: true at the task level where I need it.

Fracture7144 · June 5, 2026, 3:10pm

The task level is where I would rather put them considering we want to use this for windows, linux, and networking.

Ray · June 5, 2026, 3:13pm

No this is play level

- name: Test
  hosts: all
  become: true # Play-level
  tasks:
    - name: Create a new User
      ansible.windows.win_user: 
        name: Bob
      beocme: true # Task-level

Topic		Replies	Views
win_ping.yml Ansible Project windows	41	398	September 3, 2022
Swapping credentials Ansible Project windows	14	209	March 3, 2020
Ansible to windows client connection Ansible Project windows	14	65	January 22, 2019
Ansible to windows client connection Ansible Developer windows	2	42	January 22, 2019
Ansible Windows become_user per task? Ansible Project windows	3	92	March 15, 2017

Windows become help

Related topics