My problem is :
As it is usually seen as a bad practice to use root user to connect to a remote machine over ssh, i use a specific unprivileged account to connect to servers.
But for me it is also a bad practice to do all actions as root user. I prefer use applicative users whenever i can.
With ansible i can become root and execute privileged commands with become directive. But is there any mean to become any user with a root 'hop' privilege escalation ?
ie, ssh with ssh-user => become root => become any other user
The other means I see do not satisfy me completely:
become root, use cmd module and use su (which displays the following deprecated message [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running su ) :
cmd: su -c "my_command" app_user
become: True
become_user: root
add sudoers permission to my ssh-user to become directly all applicative users
Am i missing some way to do this more neatly ?
You can run your playbook with --ask-become-pass option, as example:
ansible-playbook -i ../inventories/production.ini service_install.yml --ask-become-pass
And in your inventory, here is called production.ini, add your information user for ansible group:
[group1]
182.26.5.159
182.26.5.160
182.26.5.161
...
[group1:vars]
ansible_connection=ssh
ansible_user=appuser # insert your app user here
ansible_ssh_pass=passuser # insert your pass here
You can then encrypt your inventory file to keep your password secret, and give the decryption password to your OPs/Sysadmins Teams
ansible-vault encrypt ../inventories/production.in
The final command kept will be:
ansible-playbook -i ../inventories/production.ini service_install.yml --ask-become-pass --ask-vault-pass
Then on your play, you will just need to user "become: yes" option to call your task:
cmd: "my_command" app_user
become: yes