ansible - playbook execution fails for user creation with permission issue

Question

I am new to devops and tried puppet out for sometime and now checking on ansible. I have setup the ansible in the conventional ways like described on most of the tutorials 1> downloaded EPL 2> installed ansible 3> exchanged the ssh keys between control and target machines. 4> configured the sshd_conf file properly

Now its time for me to test the ping with below

sudo ansible testservers -u admin -m ping

but when i do that i get a output as below

ansible 2.6.2
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.6.6 (r266:84292, Aug  9 2016, 06:11:56) [GCC 4.4.7 20120313 (Red Hat 4.4.7-17)]
Using /etc/ansible/ansible.cfg as config file
Parsed /etc/ansible/hosts inventory source with ini plugin
META: ran handlers
<admin@10.0.0.47> ESTABLISH SSH CONNECTION FOR USER: admin
<admin@10.0.0.47> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/bbbace40d6 admin@10.0.0.47 '/bin/sh -c '"'"'echo ~admin && sleep 0'"'"''
<admin@10.0.0.47> (255, '', 'Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n')
admin@10.0.0.47 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n", 
    "unreachable": true
}

But when I do it with --ask-pas like below and supply the password, then it works fine ( which is not useful when automating)

sudo ansible testservers -m user -a'name=vasanth state=absent' --become --ask-pas
SSH password: 
admin@10.0.0.47 | SUCCESS => {
    "changed": false, 
    "name": "vasanth", 
    "state": "absent"
}

For solving this, i Added the "ansible_ssh_pass" in /etc/ansible/hosts file and it was solved. ping was success without --ask-pas

Now next step is to execute playbooks I created a playbook like below

 hosts: all
  tasks:
  - name: Ansible create user example.
    user:
      name: vasanth
      password: vasanth

when i execute i get the below result

    sudo ansible-playbook userCreate.yml -v
Using /etc/ansible/ansible.cfg as config file

PLAY [all] ************************************************************************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************************************
ok: [10.0.0.47]

TASK [Ansible create user example.] ***********************************************************************************************************************************************************
fatal: [10.0.0.47]: FAILED! => {"changed": false, "cmd": "/usr/sbin/useradd -p VALUE_SPECIFIED_IN_NO_LOG_PARAMETER -m VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "msg": "[Errno 13] Permission denied", "rc": 13}
    to retry, use: --limit @/home/admin/userCreate.retry

PLAY RECAP ************************************************************************************************************************************************************************************
10.0.0.47                  : ok=1    changed=0    unreachable=0    failed=1  

what is the problem here?

Answer 1

Two different problems here:

1. Sort out your SSH keys

Ansible is trying to connect using SSH keys and it fails:

"msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n"

I'll suggest that you try first to ssh in your server: ssh admin@10.0.0.47

This will probably fail, either because your public key is not in the authorized_keys of your server or because of key mappings in your ~/.ssh/config.

Once you are able to ssh in the server, Ansible should be able too.

2. Creating a user

Take a look to the ansible output:

...
"msg": "[Errno 13] Permission denied"

Your user doesn't have enough privileges to create users. If your admin user belongs to the wheel group, you can use become to run the task as root:

hosts: all
tasks:
  - name: Ansible create user example.
    become: yes
    user:
      name: vasanth
      # ...

Answer 2

If you're not connecting to the remote host as root, then you need to tell Ansible to become root when running your tasks using the become: key, which can be placed on a play to run all tasks in that play with elevated privileges:

hosts: all
become: true
tasks:
  - name: Ansible create user example.
    user:
      name: vasanth
      password: vasanth

Or it can be placed on individual tasks to run only those tasks with elevated privileges:

hosts: all
tasks:
  - name: Ansible create user example.
    become: true
    user:
      name: vasanth
      password: vasanth

The become key isn't used exclusively for privilege escalation; it can be used to ask Ansible to run as any user in combination with the become_user key. You can read more in the docs.