It seems that the ansible lookup plugin does not adhere to privilege escalation and it is not clear to me if this is by design.
I have looked for an answer to this, but though I have found many similar questions, I haven't yet seen one which seems to answers why the following playbook behaves like it does.
---
- hosts: localhost
become: 1
tasks:
- name: cat file
command: cat /home/bob/.ssh/id_rsa.pub
register: cat
- debug:
msg: |
dog: {{ cat.stdout }}
- name: add the variable
set_fact:
rsa_key: "{{ lookup('file', '/home/bob/.ssh/id_rsa.pub') }}"
delegate_to: localhost
The result of running this play is that the command module "works" while the lookup module does not:
PLAY [localhost] *************************************************************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] *******************************************************************************************************************************************************************************************************************************************************
ok: [localhost]
TASK [cat file] **************************************************************************************************************************************************************************************************************************************************************
changed: [localhost]
TASK [debug] *****************************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => {
"msg": "dog: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCl+xAFC2hwsLaWvCEOFHEz96AU8ltF1fA8ZNQp9Mkl6FFZUEFu2rAl+imSXm+xAPrWhqOoLgkYZKq6qAsqG3SqSisrr4uHGdC4F/5NBlgR7OqfAU76VfJRmcq4F01caXBJVuciZ0EX7KQcC6ixNpZweLPoRDBNntDJnDKVIbx8h7w3qAYRbYOsLv6OT7BLgldSrJSOYBOJ0/SLZIUDAvewPnPppkwZgMAMV12bXHzn5Imsn9S6K5riZ/n3oenOgW787w5XQI0xKsxO6g4NjzciMELafXfoq07+Gz53NMyo9/DHag2w8y6m+Js4axazMFFgcnS3Hrbc/tSejvarEynEktN1/+JTu8eEdKxtZYr2ez55SW+MOxZr14isQJDc0btduO4yJfXvJ6KooULVbqZyVnmun6pKgecsCDTy6kYQVV0oJgpixiquoLAMPN+nKzufaSgGTRbKnQuf+7w6X94ci3iIkpS7qxvQsZ/P61q7uQjhtsmG6qsk6/M9nIruJY0= ansible-generated on rh1.local.home\n"
}
TASK [add the variable] ******************************************************************************************************************************************************************************************************************************************************
[WARNING]: Unable to find '/home/bob/.ssh/id_rsa.pub' in expected paths (use -vvvvv to see paths)
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: /home/bob/.ssh/id_rsa.pub"}
PLAY RECAP *******************************************************************************************************************************************************************************************************************************************************************
localhost : ok=3 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
I'm running this under a user, which is NOT "bob", and with become_user = root and become_method = sudo. Any ideas or a confirmation that indeed the lookup plugin ignores privilege escalation statements, would be appreciated.
Looking into to the actually code and commands to be found for the standard plugins for ansible I found this:
Inside the password plugin. Hence, lookup plugins indeed ignore "become" escalation directives and hence it is "by design" this behavior though I find it rather counter intuitive, not well documented, and dislike it since it forces me to write ugly code to get around it ;-).