Difference between become and become_user in Ansible

Difference between become and become_user in Ansible

become_user defines the user which is being used for privilege escalation.

become simply is a flag to either activate or deactivate the same.

Here are three examples which should make it clear:

  1. This task will be executed as root, because root is the default user for privilege escalation:

     - do: something
       become: true
    
  2. This task will be executed as user someone, because the user is explicitly set:

     - do: something
       become: true
       become_user: someone
    
  3. This task will not do anything with become_user, because become is not set and defaults to false/no:

     - do: something
       become_user: someone
    

…unless become was set to true on a higher level, e.g. a block, the playbook, group or host-vars etc.

Here is an example with a block:

    - become: true
      block:
        - do: something
          become_user: someone
        - do: something

The first 1st is ran as user someone, the 2nd as root.

As I understand it become_user is something similar to su , and become means something like sudo su or perform all commands as a sudo user.

The default become_method is sudo, so sudo do something or sudo -u <become_user> do something

Fineprint: Of course do: something is pseudocode. Put your actual Ansible module there.

  1. become: yes = sudo
    become_user: user_name = sudo -u user_name
  2. become: yes
    become_user: root is equivalent of become: yes

this link is explaining the difference clearly.

Difference between become and become_user in Ansible

If I need to run a batch of task with sudo, I often use an include_task statement.
It also helps a lot to keep a large playbook split up in parts.
For example

 - name: prepare task x
   include_tasks: x-preparation.yml
   when: condition is true
   args:
     apply:
       become: yes

This is also a handy approach when using tags:

  - name: execute tasks x
     include_tasks: x-execution.yml
     args:
       apply:
         tags: exec
     tags:
     - exec

Important is that you need to put a tag on the include_tasks statement as well
Hope this is helpful for anyone

Leave a Reply

Your email address will not be published.