su for role and password from vault

[knac...@googlemail.com]

Hi guys,

I need to run my roles as different user. However, the users don't have login permissions. I need to su after logon with the user that executes the ansible playbook.

I've already stored the different user ids and passwords in a vault. But I don't know where to point to the password.

- hosts: abc1

  su: yes

  su_user: "{{ sysabc1 }}"
  ??? su_password: "{{ sysabc1_pwd }}"

  tasks:

    - shell: whoami

Thanks,

Jan

[knac...@googlemail.com]

Ok, I've got a working solution after some trial and error. Here it is for reference ...


Role vars, where sysipf1_pwd is stored in a vault:

Enter code here...---
# file: roles/java/vars/main.yml

ansible_become_pass: "{{ sysipf1_pwd }}"

java_directory: "{{ ipf_soft_dir }}/java"
java_archive: server-jre-8u45-linux-x64.tar.gz
java_path: "{{ java_directory }}/jdk1.8.0_45/bin"
java_home: "{{ java_path }}/java"

The play:

Enter code here...---
# This is the playbook to install java.

- hosts: ansible
  become: yes
  become_method: su
  become_user: "{{ sysipf1_user}}"
  roles:
  - java

What still confuses me is why it doesn't work to put the become-directives entirely in the vars file:

---
# file: roles/java/vars/main.yml

ansible_become: True
ansible_become_method: su
ansible_become_user: "{{ sysipf1_user}}"
ansible_become_pass: "{{ sysipf1_pwd }}"

java_directory: "{{ ipf_soft_dir }}/java"
java_archive: server-jre-8u45-linux-x64.tar.gz
java_path: "{{ java_directory }}/jdk1.8.0_45/bin"
java_home: "{{ java_path }}/java"

And the play without any reference become directives:

---
# This is the playbook to install java.

- hosts: ansible
  roles:
  - java

This leads to an error:

fatal: [my_server_name] => ssh connection closed waiting for a privilege escalation password prompt

Cheers,

Jan