How to skip the sudo password in Ansible Playbooks

by

Skipping the need to enter the sudo password when running Ansible playbooks that contain the become command can be convenient, especially in automated or repetitive tasks. However, it’s important to exercise caution when doing so, as it may compromise security if not handled properly. Here’s a step-by-step tutorial on how to achieve this.

An Ansible Playbook can often contain the become instruction which allows the Ansible playbook to become root to perform the execution of the plugin:

- name: "verify"
  hosts: "{{ hosts_group_name | default('localhost') }}"
  become: yes

When you execute such playbook, Ansible will prompt for the sudo password that you need to provide in each execution. Let’s see how we can skip it.

Option 1: Provide the password through the ansible_become_pass variable

This is not the best option in terms of security. However, if you are using it in a safe environment for your experiments, the simplest option is to provide it through the variable ansible_become_pass. Assuming that the password is admin, you can run the playbook as follows:

ansible-playbook playbook.yml -e "ansible_become_pass=admin"

Option 2: Provide a password file

This solution is a bit more secure as the password will not display in your processes or command history. You can use the become-password-file to point to a file which contains your password:

ansible-playbook verify.yml  --become-password-file=/home/francesco/ansible-learn/passwd

Option 3: Modify your sudoers configuration

Since you are using sudo as part of the execution, another possibility is to specify in the sudoers file that the your user does not need the password:

sudo visudo

Then, specify for the user you are executing the playbooks:

ansible ALL=(ALL) NOPASSWD:ALL

Note:

  • Security Implications: Be cautious when configuring sudoers to allow passwordless sudo. It’s recommended only for specific, controlled environments and user accounts. Avoid using it on multi-user systems or in scenarios where security is a concern.
  • Alternative Options: If you don’t want to modify the sudoers file, you can also use the --ask-become-pass option with ansible-playbook to manually provide the sudo password when running the playbook.
  • Ansible Vault: If security is a concern and you need to handle sensitive data, consider using Ansible Vault to encrypt sensitive variables, rather than relying solely on sudo password configuration.
Found the article helpful? if so please follow us on Socials