Let's suppose I run a playbook as a non-root user and one task needs to
include a vars file with only root permissions.
The ansible.builtin.include_vars official doc
<https://docs.ansible.com/ansible/latest/collections/ansible/builtin/include_vars_module.html#attributes>
states that:the 'become' attribute is not supported but "Is usable
alongside become keywords", which seems to contradict the fact that it is
unsupported.
I tried to use the become vars but that does not work either:
- name: Including vars issue
hosts: all
gather_facts: false
tasks:
- name: Creating a file with root-only permissions
vars:
ansible_become: yes
ansible_become_method: sudo
ansible_become_user: root
file:
group: 'root'
mode: '0640'
owner: 'root'
path: "../files/restricted_file"
state: touch
- name: Including vars with root-only permissions
vars:
ansible_become: yes
ansible_become_method: sudo
ansible_become_user: root
include_vars: "../files/restricted_file"
ignore_errors: true
- name: Including vars with non-root user permissions
vars:
ansible_become: yes
ansible_become_method: sudo
ansible_become_user: admin
include_vars: "../files/capabilities.json"
leads to:
___________________________________________________
< TASK [Creating a file with root-only permissions] >
---------------------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
changed: [localhost] => changed=true
dest: ../files/restricted_file
gid: 0
group: root
mode: '0640'
owner: root
size: 0
state: file
uid: 0
__________________________________________________
< TASK [Including vars with root-only permissions] >
--------------------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
fatal: [localhost]: FAILED! => changed=false
ansible_facts: {}
ansible_included_var_files: []
message: 'an error occurred while trying to read the file
''playbooks/issues/../files/restricted_file'': [Errno 13] Permission
denied: b''playbooks/files/restricted_file''. [Errno 13] Permission denied:
b''playbooks/files/restricted_file'''
...ignoring
______________________________________________________
< TASK [Including vars with non-root user permissions] >
------------------------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
ok: [localhost] => changed=false
...
I'm probably missing something here; how can we work around this limitation?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/a706f783-a0a3-4648-8858-c66894c62980n%40googlegroups.com.
