How should I use sudo_user and sudo together when logging in as a non-root user and switching to another user?

[Chris Adams]

Hi there, 

Can someone give me some pointers as to why an ansible role using sudo_user below would complain about missing sudo passwords, when I'm able to: 

1. ssh in as one non-root user (in this case, chris)
   
2. use `sudo su deploy_user` to switch to that deploy user
   
3. call `sudo ls` to run a command with sudo, without needing to provide a password

I'm using Ansible 1.8.2, and deploying to an Ubuntu machine on Google Cloud Platform, and below is the relevant task I'm trying to run as well as my sudoers file.

If I want to log in with one non-root user, then run other commands as a deploy user, how else should I be doing this?

The best workaround I can think of at present is to execute the tasks as a login user, but make sure I set the owner and group as extra parameters for `file` or `template` tasks.

Many thanks,

Chris

tasks.yml

```

- name: put envdirs directory in place

  file: >

    path=~/path/to/envdir/

    state=directory

    mode=775

  sudo: yes

  sudo_user: "{{ deploy_user }}"

  tags:

    - debug

- name: drop envdir vars in directory

  template: >

    src=envdir_var.j2

    dest=~/path/to/envdir//{{ item.env_var }}

  with_items:

    - { env_var: AWS_ACCESS_KEY_ID, env_val: "{{ aws_access_key }}" }

    - { env_var: AWS_SECRET_ACCESS_KEY, env_val: "{{ aws_secret_key }}" }

    - { env_var: AWS_DEFAULT_REGION, env_val: "{{ aws_region }}" }

    - { env_var: PGUSER, env_val: "{{ app }}" }

    - { env_var: PGPASSWORD, env_val: "{{ app }}" }

  sudo: yes

  sudo_user: "{{ deploy_user }}"

```

sudoers

```

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
# Host alias specification
 
# User alias specification
 
# Cmnd alias specification
 
# User privilege specification
root    ALL=(ALL:ALL) ALL
 
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
 
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
 
# See sudoers(5) for more information on "#include" directives:
 
#includedir /etc/sudoers.d
chris ALL=NOPASSWD: ALL
 
# this gives more access than I'd like to deploy_user, but ansible is
# still bitching about the deploy_user not having a sudo password
deploy_user ALL=NOPASSWD: ALL
```

Full gist - https://gist.github.com/mrchrisadams/56ca925a3df414cd36f0

[James Cammarata]

Hi Chris, are you specifying the remote_user value, or does the current user running Ansible on the controller match the remote user on the target system?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7efa5e05-0953-4745-9864-6fe77b9d2856%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.