1

I'm running Ansible through AWX, (the open source version of Ansible Tower) and I keep running into an error where a user cannot use any of the become privilege escalation commands. Whenever the commands are run on AWX, it produces an error saying Missing sudo password. I have confirmed that the user account does have access by running both sudo and su under that user account. Both of them work flawlessly when they are run manually.

Simply put, I am looking for a way to run sudo commands from an Ansible playbook, inside AWX. I have verified that the account I am using has the correct permissions.

While it is possible to directly edit the /etc/sudoers file to allow users to sudo without a password, that is not a solution that will work in this situation.

Ansible does have documentation on privilege escalation, but the correct options do not work through AWX. It replaces several of the command line flags and options with menu-based options, and a google search did not reveal anyone else who had the same error message with AWX.

Note: This is not a duplicate of the following questions, since those questions all concern running Ansible from the command line, not running it from Ansible Tower or AWX. These questions also assume that editing the /etc/sudoers file will work in all cases.

I'm posting and immediately answering this question because it took me a little while to figure out the answer. Finding the documentation was far more difficult than it needed to be, and it was missing information, so I'm posting this question with the appropriate answer.

Alex Lowe
  • 131
  • 2
  • 5
  • There are [many](https://stackoverflow.com/questions/40983674/ansible-non-root-sudo-user-and-become-privilege-escalation?rq=1) [similar](https://stackoverflow.com/questions/21870083/specify-sudo-password-for-ansible?rq=1) [questions](https://stackoverflow.com/questions/35172654/ansible-hangs-in-sudo-yum-install-step?noredirect=1&lq=1) concerning Ansible, and those questions have not been marked as off-topic. There are also tags for ansible-awx, and questions that have been asked and answered for AWX. Why is this question different enough to qualify as off-topic infrastructure administration? – Alex Lowe Aug 08 '18 at 13:19
  • Note: There are also [questions](https://stackoverflow.com/questions/46156070/setting-vault-password-in-ansible-tower) for the [ansible-tower] tag, and those questions have far more to do with managing servers. This question was asked while writing Ansible scripts; it is ultimately a question about script permissions, not networking or infrastructure. If it's strictly necessary, I can put in the Ansible playbook code here and re-tag the question, if that would make it more clear that this is a question about running Ansible playbooks. (See the second paragraph, where I summarize the issue.) – Alex Lowe Aug 08 '18 at 13:45

1 Answers1

3

You need to configure your credentials correctly in AWX. In order to use AWX to run sudo commands in an Ansible playbook, you have to specify the "Privilege Escalation Method" and the "Privilege Escalation Password" fields. (The password field will only appear once you select the method.)

It is unnecessary to store credentials outside of AWX. While the Ansible documentation may refer you to using a vault, you don't need to worry about managing encrypted files in your playbooks. AWX can handle credentials securely.

Minor Notes:

  • Even though the Ansible documentation says it will automatically default to the ssh password, AWX required me to set the Privilege Escalation Password.
  • In my case, the ssh password was the same as the sudo password.
  • Using the "Prompt on Launch" option for both the ssh and sudo passwords results in an error, because you can only fill in the ssh field. I do not know what versions this bug appears in.
Alex Lowe
  • 131
  • 2
  • 5