"Missing sudo password" error with Ansible Error

Question

This is my simple playbook,

---
- name: test
  hosts: all
  tasks:
     - name: testing
       shell: /usr/bin/whoami
       register: testing

     - name: show the result
       debug:
          msg: "{{ testing.stdout }}"

When I try to use this using user1 I get correct the expected output as user1.

However, my requirement is to run the shell command using a root user. something like sudo whoami. So I modified the playbook like this.

---
- name: test
  hosts: all
  tasks:
     - name: testing
       shell: /usr/bin/whoami
       become: true
       register: testing

     - name: show the result
       debug:
          msg: "{{ testing.stdout }}"

However, I keep getting following error,

fatal: [xxxxxxxxx]: FAILED! => {
    "msg": "Missing sudo password"
}

Can anybody please help understand what I am missing here?

To allow the user1 to run this as sudo root, I have added following entry in the sudoers file.

user1 ALL=(ALL:ALL) /usr/bin/whoami

Also, to avoid the providing user1 password, I added following entry to the local ansible.cfg

[privilege_escalation]
become_ask_pass=False

Still getting the same error mentioned above.

Answer 1

user1 ALL=(ALL) NOPASSWD: ALL works fine. But our security team is not agreeing to this.

An example playbook

---
- hosts: test
  become: true
  gather_facts: false

  tasks:

  - name: Execute
    shell:
      cmd: "id"
    register: output

  - debug:
      var: output

with an output of

TASK [debug] ************************************************
ok: [test.example.com] =>
  output:
    changed: true
    cmd: id
    delta: '0:00:00.014084'
    end: '2024-01-09 10:55:00.340407'
    failed: false
    msg: ''
    rc: 0
    start: '2024-01-09 10:55:00.326323'
    stderr: ''
    stderr_lines: []
    stdout: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    stdout_lines:
    - uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

shows with sudo tail -F /var/log/secure on the Remote Node

Jan  9 10:55:00 test.example.com sshd[32004]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.0.2.1 user=ansible_user
Jan  9 10:55:00 test.example.com sshd[32004]: Accepted password for ansible_user from 192.0.2.1 port 48984 ssh2
Jan  9 10:55:00 test.example.com sshd[32004]: pam_unix(sshd:session): session opened for user ansible_user by (uid=0)
Jan  9 10:55:00 test.example.com sudo: ansible_user : TTY=pts/6 ; PWD=/home/ansible_user ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-<id> ; /usr/bin/python /home/ansible_user/.ansible/tmp/ansible-tmp-<timestamp>-<id>/AnsiballZ_<modulename>.py
Jan  9 10:55:00 test.example.com sudo: pam_unix(sudo:session): session opened for user root by ansible_user(uid=0)
Jan  9 10:55:00 test.example.com sudo: pam_unix(sudo:session): session closed for user root

To Summarize

How to decide what all commands I need to add explicitly?

The command executed in the example was

/bin/sh -c echo BECOME-SUCCESS-<id> ; /usr/bin/python /home/ansible_user/.ansible/tmp/ansible-tmp-<timestamp>-<id>/AnsiballZ_<modulename>.py

Therefore you could try to add in sudoers file a line at the end, like in tail -1 /etc/sudoers

#includedir /etc/sudoers.d

and under /ect/sudoers.d a file /etc/sudoers.d/ansible

ansible_user    ALL=(ALL)    NOPASSWD: /bin/sh -c echo BECOME-SUCCESS-* ; /usr/bin/python *

for Ansible Modules written in Python.

Further Reading

• Multiple argument wildcard matches for sudoers file?
• Ansible module architecture - Ansiballz framework