Ansible: environment variables not exported when using sudo in shell command

Question

I am facing issues in exporting environment variables as part of the following Ansible task -

- name: Run custom shell script
  shell: "sudo bash custom_script.sh"
  register: output
  environment:
    ENV_VAR1: "secret-key"

During execution, the process is not able to find the ENV_VAR1.

Another way is to explicitly export the variable in the shell command, something like -

- name: Run custom shell script
  shell: "sudo su -c 'export ENV_VAR1=\"secret-key\"; bash custom_script.sh'"
  register: output

But, I not comfortable with this approach, and would like to make use of the environment functionality provided by Ansible.

Note: Please note, I will not be able to use become: true as well, and have to run the shell command through sudo.

Any help is appreciated. Thanks in advance.

Answer 1

To tell sudo to keep the environment, you can use --preserve-env to keep all the variables or --preserve-env=ENV_VAR1 to keep only the required ones.

P.S. There is much more on privilege escalation that just become: true so you might find a way to use it. Also, you're using shell instead of command which could also affect the behavior of your script. This answer has more details on that with links to the documentation.

Answer 2

I'd rather use "become: true" and "become_user: xxx" instead of "sudo" inside the command. Works fine.

  - name: Run custom command
    shell: "echo environment env1 $env1 user $USER"
    become: true
    become_user: oracle
    register: output

  - debug:
      msg: '{{ output.stdout }}'

  environment:
   env1: "secret-key"

Output:

"msg": "environment env1 secret-key user oracle"

Sorry, just missed your note you are not able to use "become". May I ask why not?