Ansible Fix 'Missing sudo Password' Error: Become Configuration
By Luca Berton · Published 2024-01-01 · Category: installation
Fix Ansible 'missing sudo password' error. Configure become_password, passwordless sudo, ask-become-pass, and proper privilege escalation settings.

Introduction
Today we're going to talk about Ansible troubleshooting, specifically about missing sudo password and incorrect sudo password.
See also: Ansible troubleshooting - user module password_expiry_min bug and workaround
Playbook
The best way of talking about Ansible troubleshooting is to jump in a live Playbook to show you practically the missing sudo password and incorrect sudo password and how to solve it!error code
- missingsudopassword_error.yml
---
- name: debug module Playbook
hosts: all
become: true
tasks:
- name: root test
ansible.builtin.debug:
msg: "privilege escalation successful"
See also: Ansible 'Missing Required Arguments' Error: Fix Missing Module Parameters
error execution
$ ansible-playbook -i Playbook/inventory troubleshooting/missingsudopassword_error.yml
PLAY [debug module Playbook] *********************************************************************************
TASK [Gathering Facts] ***********************************************************************************
fatal: [demo.example.com]: FAILED! => {"msg": "Missing sudo password"}
PLAY RECAP ***********************************************************************************************
demo.example.com : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
troubleshoot
$ ansible-playbook --help
usage: ansible-playbook [-h] [--version] [-v] [-k] [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER]
[...]
Privilege Escalation Options:
control how and which user you become as on target hosts
--become-method BECOME_METHOD
privilege escalation method to use (default=sudo), use `ansible-doc -t become
-l` to list valid choices.
--become-user BECOME_USER
run operations as this user (default=root)
-K, --ask-become-pass
ask for privilege escalation password
-b, --become run operations with become (does not imply password prompting)
ansible-pilot $ ansible-playbook -i Playbook/inventory troubleshooting/missingsudopassword_error.yml -bK
BECOME password:
PLAY [debug module Playbook] *********************************************************************************
TASK [Gathering Facts] ***********************************************************************************
fatal: [demo.example.com]: FAILED! => {"msg": "Incorrect sudo password"}
PLAY RECAP ***********************************************************************************************
demo.example.com : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
See also: Ansible troubleshooting - AWS Failed to import the required Python library (botocore or boto3)
verification
$ ssh devops@demo.example.com
Last login: Mon Nov 8 10:24:10 2021 from 192.168.43.5
[devops@demo ~]$ sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for devops:
Sorry, try again.
[sudo] password for devops:
Sorry, try again.
[sudo] password for devops:
sudo: 2 incorrect password attempts
[devops@demo ~]$ su -
Password:
Last login: Mon Nov 8 09:44:37 UTC 2021 on pts/0
[root@demo ~]# ls -al /etc/sudo
sudo.conf sudoers sudoers.d/ sudo-ldap.conf
[root@demo ~]# ls -al /etc/sudoers.d/
total 16
drwxr-x---. 2 root root 21 Nov 8 09:06 .
drwxr-xr-x. 87 root root 8192 Nov 8 09:14 ..
-r--r-----. 1 root root 45 Sep 1 00:19 vagrant
[root@demo ~]# vim /etc/sudoers.d/devops
[root@demo ~]# cat /etc/sudoers.d/devops
devops ALL=(ALL) NOPASSWD: ALL
[root@demo ~]# exit
logout
[devops@demo ~]$ whoami
devops
[devops@demo ~]$ sudo su
[root@demo devops]# whoami
root
[root@demo devops]# exit
exit
[devops@demo ~]$ exit
logout
Connection to demo.example.com closed.fix
- /etc/sudoers.d/devops
devops ALL=(ALL) NOPASSWD: ALLfix execution
$ ansible-playbook -i Playbook/inventory troubleshooting/missingsudopassword_error.yml
PLAY [debug module Playbook] *********************************************************************************
TASK [Gathering Facts] ***********************************************************************************
ok: [demo.example.com]
TASK [root test] *****************************************************************************************
ok: [demo.example.com] => {
"msg": "privilege escalation successful"
}
PLAY RECAP ***********************************************************************************************
demo.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0Conclusion
Now you know how to troubleshoot themissing sudo password and incorrect sudo password fatal errors.
Quick Fixes
Provide password interactively
ansible-playbook site.yml --ask-become-pass
# or shorthand
ansible-playbook site.yml -KSet in inventory
all:
vars:
ansible_become_password: "{{ vault_sudo_pass }}"Vault-encrypted password
# Create vault
ansible-vault encrypt_string 'MySudoPass123' --name 'ansible_become_password'# group_vars/all.yml
ansible_become_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
...Permanent Fix: Passwordless sudo
# Run once with --ask-become-pass
- name: Configure passwordless sudo
ansible.builtin.copy:
content: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL\n"
dest: "/etc/sudoers.d/{{ ansible_user }}"
mode: '0440'
validate: 'visudo -cf %s'
become: trueOr manually on the remote host:
echo "deploy ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/deploy
sudo chmod 440 /etc/sudoers.d/deploy
sudo visudo -cf /etc/sudoers.d/deployLimited Passwordless sudo
# Only specific commands without password
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl, /usr/bin/apt, /usr/bin/yumansible.cfg
[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = falseTroubleshooting
# Test sudo manually
ssh user@host "sudo -n whoami"
# Should output: root
# If it asks for password, sudo isn't passwordless
ssh user@host "sudo -l"
# Shows sudo permissions for the user
# Verbose Ansible output
ansible-playbook site.yml -vvvv -KCommon Causes
| Cause | Fix |
|---|---|
| No sudo password provided | Add -K or set ansible_become_password |
| sudoers not configured | Add user to sudoers or sudoers.d |
| User not in sudo group | usermod -aG sudo username |
| requiretty in sudoers | Comment out Defaults requiretty |
| Password expired | Reset: sudo passwd username |
FAQ
How do I use different sudo passwords per host?
# host_vars/server1.yml
ansible_become_password: "{{ vault_server1_sudo }}"
# host_vars/server2.yml
ansible_become_password: "{{ vault_server2_sudo }}"Why does it work with SSH but fail with Ansible?
Ansible may use a non-interactive shell where sudo behaves differently. Check for requiretty in sudoers and the user's sudo permissions.
Can I use su instead of sudo?
ansible_become_method: su
ansible_become_password: "{{ vault_root_password }}"The Error
fatal: [web1]: FAILED! => {"msg": "Missing sudo password"}Quick Fixes
Provide Password at Runtime
ansible-playbook site.yml --ask-become-pass
# or
ansible-playbook site.yml -KConfigure NOPASSWD (Recommended)
# On remote host
sudo visudo -f /etc/sudoers.d/ansible
# Add:
deploy ALL=(ALL) NOPASSWD: ALLOr with Ansible (bootstrap):
- lineinfile:
path: /etc/sudoers.d/ansible
line: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL"
create: true
mode: '0440'
validate: 'visudo -cf %s'
become: trueIn Inventory
[webservers:vars]
ansible_become_password=mysecretpasswordIn Vault (Secure)
# group_vars/all/vault.yml (encrypted)
ansible_become_password: "{{ vault_sudo_pass }}"
vault_sudo_pass: "SuperSecret123"ansible-vault encrypt group_vars/all/vault.yml
ansible-playbook site.yml --ask-vault-passansible.cfg Configuration
[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false # Set true to always promptPer-Task become
# Only escalate specific tasks
- name: Install package (needs root)
apt: { name: nginx, state: present }
become: true
- name: Deploy app config (as app user)
template:
src: config.j2
dest: /opt/myapp/config
become: true
become_user: appuserDebugging
# Test sudo on remote
ssh deploy@web1 'sudo -n whoami'
# Should output "root" without password prompt
# Verbose Ansible output
ansible-playbook site.yml -K -vvvDifferent become Methods
# sudo (default)
become_method: sudo
# su
become_method: su
# Needs: ansible_become_password
# doas (OpenBSD)
become_method: doas
# pfexec (Solaris)
become_method: pfexecLimited NOPASSWD (More Secure)
# Only allow specific commands without password
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl, /usr/bin/apt-get, /usr/bin/cpFAQ
NOPASSWD set but still getting the error?
Check sudoers order — later rules override earlier ones. Ensure no Defaults requiretty blocks Ansible. Test with ssh user@host 'sudo -n true'.
How to use different passwords per host?
Set ansible_become_password in host_vars/hostname.yml (encrypted with Vault).
Can I avoid storing passwords entirely?
Yes — use SSH key auth + NOPASSWD sudo. No passwords needed anywhere.
The Error
fatal: [web1]: FAILED! => {"msg": "Missing sudo password"}Quick Fixes
Option 1: Prompt at Runtime
ansible-playbook site.yml --ask-become-pass
# or
ansible-playbook site.yml -KOption 2: Passwordless sudo
# On the remote host, add to /etc/sudoers.d/ansible:
deploy ALL=(ALL) NOPASSWD: ALLOr with Ansible (bootstrap):
- copy:
content: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL"
dest: "/etc/sudoers.d/{{ ansible_user }}"
mode: '0440'
validate: 'visudo -cf %s'
become: trueOption 3: Set in Inventory
[all:vars]
ansible_become_password={{ vault_sudo_password }}Option 4: Set in ansible.cfg
[privilege_escalation]
become = True
become_method = sudo
become_ask_pass = TrueVault-Encrypted Password
# group_vars/all/vault.yml (encrypted)
vault_become_password: "MySudoPassword"
# group_vars/all/main.yml
ansible_become_password: "{{ vault_become_password }}"Per-Host sudo Password
[webservers]
web1 ansible_become_password="{{ vault_web1_sudo }}"
web2 ansible_become_password="{{ vault_web2_sudo }}"Selective Privilege Escalation
# Don't use become globally — only where needed
- hosts: all
tasks:
- debug: msg="No sudo needed"
- apt: { name: nginx }
become: true # Only this task needs sudoTroubleshoot
# Check if sudo works manually
ssh deploy@web1 'sudo -n whoami'
# Should output: root
# Check sudoers on remote host
ssh deploy@web1 'sudo -l'
# Verbose Ansible output
ansible web1 -m ping -b -vvvFAQ
Why does --ask-become-pass ask only once?
Ansible assumes the same sudo password for all hosts. Use per-host ansible_become_password if passwords differ.
Can I use su instead of sudo?
become_method: su
ansible_become_password: "{{ root_password }}""sudo: a password is required" vs "Missing sudo password"?
Same issue — the remote host requires a password for sudo, and Ansible doesn't have one. Fix with any option above.
Related Articles
Category: installation
Watch the video: Ansible Fix 'Missing sudo Password' Error: Become Configuration — Video Tutorial