Let's suppose I run a playbook as a non-root user and one task needs to include a vars file with only root permissions. The ansible.builtin.include_vars official doc <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/include_vars_module.html#attributes> states that:the 'become' attribute is not supported but "Is usable alongside become keywords", which seems to contradict the fact that it is unsupported. I tried to use the become vars but that does not work either: - name: Including vars issue hosts: all gather_facts: false tasks: - name: Creating a file with root-only permissions vars: ansible_become: yes ansible_become_method: sudo ansible_become_user: root file: group: 'root' mode: '0640' owner: 'root' path: "../files/restricted_file" state: touch
- name: Including vars with root-only permissions vars: ansible_become: yes ansible_become_method: sudo ansible_become_user: root include_vars: "../files/restricted_file" ignore_errors: true - name: Including vars with non-root user permissions vars: ansible_become: yes ansible_become_method: sudo ansible_become_user: admin include_vars: "../files/capabilities.json" leads to: ___________________________________________________ < TASK [Creating a file with root-only permissions] > --------------------------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || changed: [localhost] => changed=true dest: ../files/restricted_file gid: 0 group: root mode: '0640' owner: root size: 0 state: file uid: 0 __________________________________________________ < TASK [Including vars with root-only permissions] > -------------------------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || fatal: [localhost]: FAILED! => changed=false ansible_facts: {} ansible_included_var_files: [] message: 'an error occurred while trying to read the file ''playbooks/issues/../files/restricted_file'': [Errno 13] Permission denied: b''playbooks/files/restricted_file''. [Errno 13] Permission denied: b''playbooks/files/restricted_file''' ...ignoring ______________________________________________________ < TASK [Including vars with non-root user permissions] > ------------------------------------------------------ \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ok: [localhost] => changed=false ... I'm probably missing something here; how can we work around this limitation? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a706f783-a0a3-4648-8858-c66894c62980n%40googlegroups.com.