How to specify become password for tasks delegated to localhost

Question

I have a playbook that targets a particular host. But there are few tasks that I need to execute locally, so i am using "delegate_to" for those tasks. A few locally delegated tasks require sudo privileges, so I used "become: yes" and passed --ask-become-pass through command line and it worked fine. But now when I have created a job on ansible tower, how do I manage to provide become password for the user(i guess awx user) that is running the job???

Answer 1

While creating credentials you have an option in TOwer to use sudo username.

1. PRIVILEGE ESCALATION USERNAME --- Mention your username there
2. PRIVILEGE ESCALATION PASSWORD --- You can mention your passwords here or select "Prompt on Launch", option to enter password will come when you run template.

Please check this screen shot

Answer 2

You'll want to set the special variable ansible_become_password, described in https://docs.ansible.com/ansible/latest/user_guide/become.html#become-connection-variables.

Because you'll be storing the password as a variable for your playbook(s), you'll notice they recommend encrypting the password with Ansible Vault to avoid storing a clear-text password.

Assuming you're storing your code/playbooks in git, there are a few options to consider:

1. Storing the Vault password in a file
2. Updating .gitignore to ignore the Vault password file
3. Updating ansible.cfg to set the default Vault password file (example below)

[defaults]
vault_password_file = .vault_password

I lack experience with Ansible Tower, but have done similar with Rundeck successfully. Hope that helps!