I can help to address #2 at least for now.
---
- host: localhost
become: true
become_user: root
become_method: su
tasks:
- name: some play performed as root
- host: localhost
become: true
become_user: user2
become_method: su
tasks:
- name: some other play performed as user2
- host: localhost
become: false
tasks:
- name: some other play performed as user1
...
---
- hosts: localhost
become: true
become_user: root
become_method: su
tasks:
- name: some task as root
- name: some task as user2
command: su - user2 -c "/home/user2/somecommand.sh"
...
I can help to address #2 at least for now.Ansible does not allow you to chain "Become" statements.
In other words you cannot log in as user1, become root, and then become user2 (or even user1) in the same play.
- hosts: localhost
become: true
tasks: - command: whoami
- command: whoami become_user: email - command: whoami become: false
TASK [command] *****************************************************************changed: [localhost] => {"attempts": 1, "changed": true, "cmd": ["whoami"], "delta": "0:00:00.002095", "end": "2018-03-13 12:38:30.764121", "rc": 0, "start": "2018-03-13 12:38:30.762026", "stderr": "", "stderr_lines": [], "stdout": "root", "stdout_lines": ["root"]}
TASK [command] *****************************************************************changed: [localhost] => {"attempts": 1, "changed": true, "cmd": ["whoami"], "delta": "0:00:00.001929", "end": "2018-03-13 12:38:30.889973", "rc": 0, "start": "2018-03-13 12:38:30.888044", "stderr": "", "stderr_lines": [], "stdout": "email", "stdout_lines": ["email"]}
TASK [command] *****************************************************************changed: [localhost] => {"attempts": 1, "changed": true, "cmd": ["whoami"], "delta": "0:00:00.002009", "end": "2018-03-13 12:38:31.004561", "rc": 0, "start": "2018-03-13 12:38:31.002552", "stderr": "", "stderr_lines": [], "stdout": "ec2-user", "stdout_lines": ["ec2-user"]}
My follow-up question is... why? In your example you could just create the file as root, set the owner, group, and mode to reflect the user you want it to be.
Good catch. You're correct, it is possible, I was mistaken. Practically is it possible to be able to provide multiple sets of credentials for your example? I've always done a work around, such as I listed in the other comment, since I can pass my current logon (-k) username/password, and can pass 1 set of become credentials (-K), but not a 2nd or 3rd set of become credentials.
- hosts: localhost become: true tasks: - command: whoami
become_method: su become_user: flowerysong vars: ansible_become_pass: "{{ user_passwords.flowerysong }}" - command: whoami
TASK [command] *****************************************************************changed: [localhost] => {"changed": true, "cmd": ["whoami"], "delta": "0:00:00.002181", "end": "2018-03-13 15:15:47.586117", "rc": 0, "start": "2018-03-13 15:15:47.583936", "stderr": "", "stderr_lines": [], "stdout": "flowerysong", "stdout_lines": ["flowerysong"]}
TASK [command] *****************************************************************changed: [localhost] => {"changed": true, "cmd": ["whoami"], "delta": "0:00:00.002159", "end": "2018-03-13 15:15:47.717122", "rc": 0, "start": "2018-03-13 15:15:47.714963", "stderr": "", "stderr_lines": [], "stdout": "root", "stdout_lines": ["root"]}