Let's suppose I run a playbook as a non-root user and one task needs to
include a vars file with only root permissions.
The ansible.builtin.include_vars official doc
<https://docs.ansible.com/ansible/latest/collections/ansible/builtin/include_vars_module.html#attributes>
states that:the 'become' attribute is not supported but "Is usable
alongside become keywords", which seems to contradict the fact that it is
unsupported.
I tried to use the become vars but that does not work either:
- name: Including vars issue
hosts: all
gather_facts: false
tasks:
- name: Creating a file with root-only permissions
vars:
ansible_become: yes
ansible_become_method: sudo
ansible_become_user: root
file:
group: 'root'
mode: '0640'
owner: 'root'
path: "../files/restricted_file"
state: touch
- name: Including vars with root-only permissions
vars:
ansible_become: yes
ansible_become_method: sudo
ansible_become_user: root
include_vars: "../files/restricted_file"
ignore_errors: true
- name: Including vars with non-root user permissions
vars:
ansible_become: yes
ansible_become_method: sudo
ansible_become_user: admin
include_vars: "../files/capabilities.json"
leads to:
___________________________________________________
< TASK [Creating a file with root-only permissions] >
---------------------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
changed: [localhost] => changed=true
dest: ../files/restricted_file
gid: 0
group: root
mode: '0640'
owner: root
size: 0
state: file
uid: 0
__________________________________________________
< TASK [Including vars with root-only permissions] >
--------------------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
fatal: [localhost]: FAILED! => changed=false
ansible_facts: {}
ansible_included_var_files: []
message: 'an error occurred while trying to read the file
''playbooks/issues/../files/restricted_file'': [Errno 13] Permission
denied: b''playbooks/files/restricted_file''. [Errno 13] Permission denied:
b''playbooks/files/restricted_file'''
...ignoring
______________________________________________________
< TASK [Including vars with non-root user permissions] >
------------------------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
ok: [localhost] => changed=false
...
I'm probably missing something here; how can we work around this limitation?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/a706f783-a0a3-4648-8858-c66894c62980n%40googlegroups.com.
