101

Ansible asks for sudo password from following code, it tries to create a new postgres user.

Error message:

fatal: [xxx.xxx.xxx.xxx] => Missing sudo password

main.yml

- name: 'Provision a PostgreSQL server'
  hosts: "dbservers"
  sudo: yes
  sudo_user: postgres
  roles:
    - postgres

create_db.yml

- name: Make sure the PostgreSQL users are present
  postgresql_user: name=rails password=secret role_attr_flags=CREATEDB,NOSUPERUSER
  sudo_user: postgres
  sudo: yes

The remote_user that used to login to this machine is a non-root user, it has no password, and can only login using key auth.

For user postgres, this account doesn't have the password as well, because the database was just installed.

Since I logged in as non-root user, of course it will ask for password when switch to postgress account in order to create database user. But it won't be need for password if switch to postgres from root account. So, I wonder if there is a way to switch to root, and then switch to user postgres.

Note: the root account has no public key, no password, and cannot login from SSH.

techraf
  • 64,883
  • 27
  • 193
  • 198
user469652
  • 48,855
  • 59
  • 128
  • 165

14 Answers14

149

Try with the option -kK. It will prompt for password.

$ ansible-playbook mail.yml -kK 
SSH password: 
BECOME password[defaults to SSH password]:
  • -k, --ask-pass: ask for connection password
  • -K, --ask-become-pass: ask for privilege escalation password
Mohammed H
  • 6,880
  • 16
  • 81
  • 127
nesinor
  • 1,514
  • 1
  • 10
  • 20
36

You can specificy the sudo password when running the Ansible playbook:

ansible-playbook playbook.yml -i inventory.ini --extra-vars "ansible_sudo_pass=yourPassword"
Asier Gomez
  • 6,034
  • 18
  • 52
  • 105
  • 28
    it's not a good idea to put your sudo password on command line – jim smith Aug 19 '20 at 13:18
  • 2
    you can just set to True "become_ask_pass" in ansible.cfg, and the system will prompt for it. Or, if you want to fully automate it, use, for example, Ansible Vault to avoid this, saving the become password in an encrypted file, just need to add --ask-vault-pass (or some other mechanism, as saving the vault password itself in a hidden file your home dir, with access permissions just for you)... – xCovelus Feb 18 '21 at 09:25
25

Add a file to the /etc/sudoers.d directory on the target machine called postgres with the following contents:

postgres ALL=(ALL) NOPASSWD:ALL

This ensures that the postgres user (provided you are using that as your sudo user) will not be asked for a password when it attempts sudo commands.

If you are using a different user to connect to the target machine, then you'll have to amend the above to give the NOPASSWD permission to that user instead.

See here for further details.

Community
  • 1
  • 1
ManoDestra
  • 6,325
  • 6
  • 26
  • 50
  • 1
    In my scenario same add the user in sudoers not work, still ask me the password, I gues this weird. I'm using: ansible 2.9.6 config file = /etc/ansible/ansible.cfg configured module search path = ['/home/myuser/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3/dist-packages/ansible executable location = /usr/bin/ansible python version = 3.8.2 (default, Jul 16 2020, 14:00:26) [GCC 9.3.0] – Vader Aug 24 '20 at 20:30
  • I think there are more (and more secure) ways than adding NOPASSWD (that might be against some organizations' security policies): you can just set to True "become_ask_pass" in ansible.cfg, and the system will prompt for it. Or, if you want to fully automate it, use, for example, Ansible Vault to avoid this, saving the become password in an encrypted file, just need to add --ask-vault-pass, or some other mechanism, as saving the vault password itself in a hidden file your home dir, with access permissions just for the Ansible become user... – xCovelus Feb 18 '21 at 09:30
16

In my case, I added the information to the servergroup's group variables

So in /etc/ansible/group_vars/{servergroup}/vars

I added

ansible_become: yes 
ansible_become_method: sudo
ansible_become_pass: "{{ vault_ansible_password }}"

This article helped me workout the answer https://www.cyberciti.biz/faq/how-to-set-and-use-sudo-password-for-ansible-vault/

TryHarder
  • 2,704
  • 8
  • 47
  • 65
11

You would need to modify /etc/sudoers file or command visudo to allow user with which you connect to the remove server to switch to another user without password prompt.

nesinor
  • 1,514
  • 1
  • 10
  • 20
Mxx
  • 8,979
  • 4
  • 27
  • 37
  • 2
    I was using the supervisorctl module, and my `/etc/sudoers` file was configured to allow me to run the `sudo supervisorctl` without a password. The way ansible executes it, that isn't enough, you need to be able to change users. My work around was to run `command: sudo supervisorctl ...` directly without any module support. – amjoconn Sep 10 '14 at 19:54
  • I think there are more (and more secure) ways: you can just set to True "become_ask_pass" in ansible.cfg, and the system will prompt for it. Or, if you want to fully automate it, use, for example, Ansible Vault to avoid this, saving the become password in an encrypted file, just need to add --ask-vault-pass, or some other mechanism, as saving the vault password itself in a hidden file your home dir, with access permissions just for the Ansible become user... – xCovelus Feb 18 '21 at 09:25
5

If all of the above solutions did not work for you, which was my case. My problem was that my ansible_user has not all the permissions, I don't like to allow root to connect from ssh.

But my tester user did not have all the sudo permissions to perform some operations: Initial tester_user permission:

tester ALL= NOPASSWD:ALL     # bad

changed to :

tester ALL=(ALL:ALL) NOPASSWD:ALL    # good

The meaning of these additional fields is: First “ALL” indicates that the user can run commands as all users. The second “ALL” indicates that the user can run commands as all groups.

Initially wanted to restrict permissions for maintainers, but it is mandatory that the ansible_user can run commands as all users use become_user in Ansible.

gxmad
  • 1,650
  • 4
  • 23
  • 29
3

Add this to your /etc/sudoers file

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
username-u-want-to-allow        ALL=(ALL)       NOPASSWD: ALL
tmac
  • 130
  • 6
2

In my case, my user did not have sudo permission on the managed node. By default ansible was setting the become_method: sudo I found out this by specifying -vvvv, and looking at the logs.

...
remote_user: username
become_method: sudo
inventory: (u'/etc/ansible/hosts',)
...

ansible-playbook -u -b ansible-script.yml -vvvv

To get around the problem, I specify "become no" in the ansible script. For example:

- name: Ensure the httpd service is running
  service:
    name: httpd
    state: started
  become: no
diarmuidcire
  • 61
  • 5
1

In your Remote-server (Client-Server) or (target-server) whatever you call, as a root user write this command

visudo pressenter Under

User privilege specification

<your-name on (client-server)> ALL=(ALL) NOPASSWD: ALL save file Now from your Controller-Server (Workstation) or (Ansible-Server) whatever you call, run your command

ssh <your-user on (client-server)>@ipaddress SUCCESS

Abdul Rehman
  • 13
  • 7
0

You don't need specify the sudo_user if the ssh_user that you use to make the connection belongs to the sudoers group, only has to say the sudo_pass.

Robert
  • 10,403
  • 14
  • 67
  • 117
0

This will happen from Ansible Tower UI if you select the 'Enable Privilege Escalation' option. You might need to supply the password twice in Ansible Tower.

Arsen Khachaturyan
  • 7,904
  • 4
  • 42
  • 42
skjagini
  • 3,142
  • 5
  • 34
  • 63
0

My solution / workaround for error message: fatal: [node]: FAILED! => {"msg": "Missing sudo password"}

For me although the user already existed in the sudoers file on the remote host to perform commands without the use of password I still got this message. What I did to enter in the main YAML playbook enter: 

---

- hosts: [your targeted inventory list of hosts]
  become_user: [your remote privileged user]
  become: true
  roles:
  - [your playbook role]

Also in the /etc/ansible/ansible.cfg I enabled/ commented out or changed the following:

[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False

[defaults]
remote_tmp = /tmp/ansible-$USER
host_key_checking = False
sudo_user      = [your remote privileged user]
ask_sudo_pass = False
ask_pass      = False

The entry remote_tmp = /tmp/ansible-$USER was to avoid messages like: 

OSError: [Errno 13] Permission denied: '/etc/.ansible_tmpLyoZOOyum.conf'
fatal: [node]: FAILED! => {"changed": false, "msg": "The destination directory (/etc) is not writable by the current user. Error was: [Errno 13] Permission denied: '/etc/.ansible_tmpLyoZOOyum.conf'"}
surilin3
  • 1
  • 1
0

In my case I have solved it by adding the command /bin/sh in the line of /etc/sudoers to allow executing commands without password.

This was the error shown:

BECOME password: 
debian | FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "module_stderr": "Shared connection to debian9 closed.\r\n",
    "module_stdout": "\r\n",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

Only add this:

user    ALL= NOPASSWD: /usr/bin/id, /usr/bin/whoami, /bin/sh

for testing purposes I also added id and whoami.

β.εηοιτ.βε
  • 33,893
  • 13
  • 69
  • 83
Fran Mateos
  • 49
  • 2
0

In my case, even though password was correct, I was getting this error because playbook had "connection: local" specified. The playbook had connection type set to local as all commands were supposed to be run on localhost. After adding a new task which required delegation to remote host, the connection method was still set to local which resulted in the Missing sudo password error. The error was fixed by removing the "connection: local" in playbook.

Umesh
  • 21
  • 2