Switching user in playbook

697 views
Skip to first unread message

Bence Takács

unread,
May 29, 2015, 10:00:07 AM5/29/15
to ansible...@googlegroups.com
I need to switch users in a playbook: first I need to do some tasks as a root user then I need to change to a limited user and do the rest with that.

My playbook looks like this:
- name: Preparation
  vars:
    - ansible_ssh_user: root
    - ansible_ssh_private_key_file: ~/.ssh/site-root
  ...
   
- name: Main play
  vars:
    - ansible_ssh_user: ci
    - ansible_ssh_private_key_file: ~/.ssh/site-ci
  ...

This works but I feel that nasty (poor design):
- redundant configuration (in hosts and 2 plays)
- need to switch and then switch back

What is the Best practice to achieve that?

Brian Coca

unread,
May 29, 2015, 11:56:28 AM5/29/15
to ansible...@googlegroups.com
the remote_user: directive can be used at play and task level to
change this, no need to use vars: unless your hosts have those set in
inventory (which overrides remote_user).
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/f7a68ea4-c6a6-43e6-b415-f6d367cdb199%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Brian Coca

Bence Takács

unread,
May 29, 2015, 12:15:19 PM5/29/15
to ansible...@googlegroups.com
Thanks for the tip, but how can I set the credentials for alternative user?

Now I have only one user set in hosts file:

ansible-sandbox ansible_ssh_host=ansible-sandbox.local ansible_ssh_user=ci ansible_ssh_private_key_file=~/.ssh/ci

Bence Takács

unread,
May 29, 2015, 12:37:33 PM5/29/15
to ansible...@googlegroups.com
One question and one issue:

1. question (above):
How can I set the credentials for alternative user?

2. issue:
playbook:
- name: Preparation
  remote_user: root
  vars:
    - ansible_ssh_private_key_file: ~/.ssh/site-root
  ...
   
- name: Main play
  remote_user: ci
  ...
Does not work: 'Main play' will be executed as root user

If I put the following at the end:
    - ansible_ssh_private_key_file: ~/.ssh/site-ci

...then I get the following error:
SSH Error: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

So root user is stucked somehow... and one cannot authenticate root with ci's key.

Regards:
   Bence

Brian Coca

unread,
May 29, 2015, 1:27:33 PM5/29/15
to ansible...@googlegroups.com
what version of ansible? os? python?

switching users seems to be working fine for me.
> https://groups.google.com/d/msgid/ansible-project/ad7e0252-a2ed-49f5-9ea9-e026956e5c0c%40googlegroups.com.

Bence Takács

unread,
May 29, 2015, 1:43:27 PM5/29/15
to ansible...@googlegroups.com

... but where do you store the alternative user's credentials?

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/Uu-0BEZwcCI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8nHEKsGG_y2ZZpt4OsYQPfDNn5kASz4aE9O4xV0aQKC2A%40mail.gmail.com.

Brian Coca

unread,
May 29, 2015, 2:40:56 PM5/29/15
to ansible...@googlegroups.com
i use an ssh agent
> https://groups.google.com/d/msgid/ansible-project/CAMQOM8TY7gS7Y1ve3ZqY3zYe8PPO91z6aPM4y-KDfkzPtGyPGw%40mail.gmail.com.

Bence Takács

unread,
May 29, 2015, 9:08:57 PM5/29/15
to ansible...@googlegroups.com

Well, actually it's Windows with babun (cygwin) and python 2.7.x
Do you think this is because of the OS?

SSH agent? Is hat work for private keys too? Or just for passwords? I suspects that more than the OS

Regards:
   Bence

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8%3DPXAOGZzL8HXqpNdyn6zncCQbEqs1tfED3z2s7%2B4eMJA%40mail.gmail.com.

Brian Coca

unread,
May 29, 2015, 9:10:21 PM5/29/15
to ansible...@googlegroups.com
Probably a combination of issues, there is some success running
ansible on cygwin but also many problems, this is not a supported
platform
> https://groups.google.com/d/msgid/ansible-project/CAMQOM8RYHTgt2f2GYbyyfC6QyoMya0J%2BgQQuH0y0buWeSXGQFQ%40mail.gmail.com.

Bence Takács

unread,
Jun 1, 2015, 3:51:05 AM6/1/15
to ansible...@googlegroups.com
Thanks, Brian

With ssh-agent I reduced my 'hosts' file radically, and removed the 'ansible_ssh_private_key_file' declarations from the plays.

But I still cannot use the 'remote_user' in plays, instead I need to add the 'ansible_ssh_user' variable.

This is my first cygwin-related issue with ansible.

Regards:
   Bence

Bence Takács

unread,
Jun 1, 2015, 5:07:39 AM6/1/15
to ansible...@googlegroups.com
Hmmm... I cannot solve the issue, but now instead of using ssh agent I just set up my ~/.ssh/config correctly - and workining fine
Reply all
Reply to author
Forward
0 new messages