ansible user current user in configuration

Question

I am using ansible to configure the several computers after installation.

For this I run ansible locally on the machines. The "main" user on the installation has often a different name. I want to use that user for variables like become_user. The "main" user is also the user, who calls ansible-playbook.

So can I somehow set "become_user" to the user who called ansible-playbook?

Answer 1

You can logon locally on control host as 'nathan', but want to connect to other servers as user 'ansible' (better in ansible.cfg)

remote_user = ansible

If you want on remote host connect as 'ansible' and perform one task as root or apache -- then sudo to root (apache or other user) you should use become_user for this particular task.

Please note also, than remote server may NOT have such user as on control host! (In common way)

In your particular case if you logon locally as 'nathan' and want to connect to 'remote' server as 'nathan' you should omit both remote_user and become_user: just logon with your current credentials!

For example, there's two sysadminst in organization: nathan and peter -- so, there's two workstation (heidelberg-nathan and berlin-peter) as ansible control host and thousands clients. Both nathan and peter connect to remote side as nathan or peter and perform tasks. Each of them can non-password sudoers to perform admin tasks.

PS Ok, let's test both solution (first - from Konstantin Suvorov's answer, second -- from knowhy's answer).

My control host berlin-ansible-01, i'm logged in as 'nathan'. Remote client is host berlin-client-01. I will log into client host as user 'ansible'.

My ansible.cfg is:

[defaults]
sudo_flags=-HE
hash_behaviour = merge
retry_files_enabled = false
log_path = ./main.log
ask_vault_pass=true
remote_user = ansible

Playbook is simple:

- name: test
  hosts: '{{ target }}'
  tasks:
    - debug: msg="step 1 = {{ lookup('env','USER') }}"
    - setup:
    - debug: msg="step 2 = {{ hostvars[target].ansible_env.USER }}"
#more than one client in taget needs iterate items:
#    - debug: msg="step 2 = {{ hostvars[item].ansible_env.USER }}"
#      with_items: "{{ hostvars }}"

Let's run it:

[nathan@berlin-ansible-01 stackoverflow]$ ansible-playbook -i hosts_staging test.yml --extra-vars "target=berlin-client-01"
Vault password:

PLAY [test] ********************************************************************

TASK [setup] *******************************************************************
ok: [berlin-client-01]

TASK [debug] *******************************************************************
ok: [berlin-client-01] => {
    "msg": "step 1 = nathan"
}

TASK [setup] *******************************************************************
ok: [berlin-client-01]

TASK [debug] *******************************************************************
ok: [berlin-client-01] => {
    "msg": "step 2 = ansible"
}

PLAY RECAP *********************************************************************
berlin-client-01             : ok=4    changed=0    unreachable=0    failed=0

Answer 2

There is no need to set become_user when the playbook should run with the user who started ansible-playbook

become is for privilege escalation. If I got this question right privilege escalation is not needed.

The name of the user which runs the playbook is available as an ansible fact {{ ansible_env.username }}

Answer 3

Not sure why you need to set become_user to user you are already running your playbook with, but you can use env lookup to get USER environment variable:

- hosts: localhost
  tasks:
    - debug: msg="{{ lookup('env','USER') }}"

Answer 4

ansible-playbook provides the --become-user CLI flag along with --ask-become-pass (if needed).

In most cases, this is a bad setup. You should standardize the user on all of your machines else you'll have to maintain certs/passwords for each user separately.