Ansible Fix 'Missing sudo Password' Error: Become Configuration

Introduction

Today we're going to talk about Ansible troubleshooting, specifically about missing sudo password and incorrect sudo password. I'm Luca Berton and welcome to today's episode of Ansible Pilot.

See also: Ansible troubleshooting - user module password_expiry_min bug and workaround

Playbook

The best way of talking about Ansible troubleshooting is to jump in a live Playbook to show you practically the missing sudo password and incorrect sudo password and how to solve it!

error code

• missingsudopassword_error.yml

---
- name: debug module Playbook
  hosts: all
  become: true
  tasks:
    - name: root test
      ansible.builtin.debug:
        msg: "privilege escalation successful"

See also: Ansible 'Missing Required Arguments' Error: Fix Missing Module Parameters

error execution

$ ansible-playbook -i Playbook/inventory troubleshooting/missingsudopassword_error.yml
PLAY [debug module Playbook] *********************************************************************************
TASK [Gathering Facts] ***********************************************************************************
fatal: [demo.example.com]: FAILED! => {"msg": "Missing sudo password"}
PLAY RECAP ***********************************************************************************************
demo.example.com           : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

troubleshoot

$ ansible-playbook --help
usage: ansible-playbook [-h] [--version] [-v] [-k] [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER]
[...]
Privilege Escalation Options:
control how and which user you become as on target hosts
--become-method BECOME_METHOD
privilege escalation method to use (default=sudo), use `ansible-doc -t become
-l` to list valid choices.
--become-user BECOME_USER
run operations as this user (default=root)
-K, --ask-become-pass
ask for privilege escalation password
-b, --become          run operations with become (does not imply password prompting)
ansible-pilot $ ansible-playbook -i Playbook/inventory troubleshooting/missingsudopassword_error.yml -bK
BECOME password:
PLAY [debug module Playbook] *********************************************************************************
TASK [Gathering Facts] ***********************************************************************************
fatal: [demo.example.com]: FAILED! => {"msg": "Incorrect sudo password"}
PLAY RECAP ***********************************************************************************************
demo.example.com           : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

See also: Ansible troubleshooting - AWS Failed to import the required Python library (botocore or boto3)

verification

$ ssh devops@demo.example.com
Last login: Mon Nov  8 10:24:10 2021 from 192.168.43.5
[devops@demo ~]$ sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for devops:
Sorry, try again.
[sudo] password for devops:
Sorry, try again.
[sudo] password for devops:
sudo: 2 incorrect password attempts
[devops@demo ~]$ su -
Password:
Last login: Mon Nov  8 09:44:37 UTC 2021 on pts/0
[root@demo ~]# ls -al /etc/sudo
sudo.conf       sudoers         sudoers.d/      sudo-ldap.conf
[root@demo ~]# ls -al /etc/sudoers.d/
total 16
drwxr-x---.  2 root root   21 Nov  8 09:06 .
drwxr-xr-x. 87 root root 8192 Nov  8 09:14 ..
-r--r-----.  1 root root   45 Sep  1 00:19 vagrant
[root@demo ~]# vim /etc/sudoers.d/devops
[root@demo ~]# cat /etc/sudoers.d/devops
devops ALL=(ALL) NOPASSWD: ALL
[root@demo ~]# exit
logout
[devops@demo ~]$ whoami
devops
[devops@demo ~]$ sudo su
[root@demo devops]# whoami
root
[root@demo devops]# exit
exit
[devops@demo ~]$ exit
logout
Connection to demo.example.com closed.

fix

• /etc/sudoers.d/devops

devops ALL=(ALL) NOPASSWD: ALL

fix execution

$ ansible-playbook -i Playbook/inventory troubleshooting/missingsudopassword_error.yml
PLAY [debug module Playbook] *********************************************************************************
TASK [Gathering Facts] ***********************************************************************************
ok: [demo.example.com]
TASK [root test] *****************************************************************************************
ok: [demo.example.com] => {
"msg": "privilege escalation successful"
}
PLAY RECAP ***********************************************************************************************
demo.example.com           : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

code with ❤️ in GitHub

Conclusion

Now you know how to troubleshoot themissing sudo password and incorrect sudo password fatal errors.

Quick Fixes

Provide password interactively

ansible-playbook site.yml --ask-become-pass
# or shorthand
ansible-playbook site.yml -K

Set in inventory

all:
  vars:
    ansible_become_password: "{{ vault_sudo_pass }}"

Vault-encrypted password

# Create vault
ansible-vault encrypt_string 'MySudoPass123' --name 'ansible_become_password'

# group_vars/all.yml
ansible_become_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  ...

Permanent Fix: Passwordless sudo

# Run once with --ask-become-pass
- name: Configure passwordless sudo
  ansible.builtin.copy:
    content: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL\n"
    dest: "/etc/sudoers.d/{{ ansible_user }}"
    mode: '0440'
    validate: 'visudo -cf %s'
  become: true

Or manually on the remote host:

echo "deploy ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/deploy
sudo chmod 440 /etc/sudoers.d/deploy
sudo visudo -cf /etc/sudoers.d/deploy

Limited Passwordless sudo

# Only specific commands without password
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl, /usr/bin/apt, /usr/bin/yum

ansible.cfg

[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false

Troubleshooting

# Test sudo manually
ssh user@host "sudo -n whoami"
# Should output: root
# If it asks for password, sudo isn't passwordless
ssh user@host "sudo -l"
# Shows sudo permissions for the user
# Verbose Ansible output
ansible-playbook site.yml -vvvv -K

Common Causes

| Cause | Fix | |-------|-----| | No sudo password provided | Add -K or set ansible_become_password | | sudoers not configured | Add user to sudoers or sudoers.d | | User not in sudo group | usermod -aG sudo username | | requiretty in sudoers | Comment out Defaults requiretty | | Password expired | Reset: sudo passwd username |

FAQ

How do I use different sudo passwords per host?

# host_vars/server1.yml
ansible_become_password: "{{ vault_server1_sudo }}"
# host_vars/server2.yml
ansible_become_password: "{{ vault_server2_sudo }}"

Why does it work with SSH but fail with Ansible?

Ansible may use a non-interactive shell where sudo behaves differently. Check for requiretty in sudoers and the user's sudo permissions.

Can I use su instead of sudo?

ansible_become_method: su
ansible_become_password: "{{ vault_root_password }}"

The Error

fatal: [web1]: FAILED! => {"msg": "Missing sudo password"}

Quick Fixes

Provide Password at Runtime

ansible-playbook site.yml --ask-become-pass
# or
ansible-playbook site.yml -K

Configure NOPASSWD (Recommended)

# On remote host
sudo visudo -f /etc/sudoers.d/ansible
# Add:
deploy ALL=(ALL) NOPASSWD: ALL

Or with Ansible (bootstrap):

- lineinfile:
    path: /etc/sudoers.d/ansible
    line: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL"
    create: true
    mode: '0440'
    validate: 'visudo -cf %s'
  become: true

In Inventory

[webservers:vars]
ansible_become_password=mysecretpassword

In Vault (Secure)

# group_vars/all/vault.yml (encrypted)
ansible_become_password: "{{ vault_sudo_pass }}"
vault_sudo_pass: "SuperSecret123"

ansible-vault encrypt group_vars/all/vault.yml
ansible-playbook site.yml --ask-vault-pass

ansible.cfg Configuration

[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false  # Set true to always prompt

Per-Task become

# Only escalate specific tasks
- name: Install package (needs root)
  apt: { name: nginx, state: present }
  become: true
- name: Deploy app config (as app user)
  template:
    src: config.j2
    dest: /opt/myapp/config
  become: true
  become_user: appuser

Debugging

# Test sudo on remote
ssh deploy@web1 'sudo -n whoami'
# Should output "root" without password prompt
# Verbose Ansible output
ansible-playbook site.yml -K -vvv

Different become Methods

# sudo (default)
become_method: sudo
# su
become_method: su
# Needs: ansible_become_password
# doas (OpenBSD)
become_method: doas
# pfexec (Solaris)
become_method: pfexec

Limited NOPASSWD (More Secure)

# Only allow specific commands without password
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl, /usr/bin/apt-get, /usr/bin/cp

FAQ

NOPASSWD set but still getting the error?

Check sudoers order — later rules override earlier ones. Ensure no Defaults requiretty blocks Ansible. Test with ssh user@host 'sudo -n true'.

How to use different passwords per host?

Set ansible_become_password in host_vars/hostname.yml (encrypted with Vault).

Can I avoid storing passwords entirely?

Yes — use SSH key auth + NOPASSWD sudo. No passwords needed anywhere.

The Error

fatal: [web1]: FAILED! => {"msg": "Missing sudo password"}

Quick Fixes

Option 1: Prompt at Runtime

ansible-playbook site.yml --ask-become-pass
# or
ansible-playbook site.yml -K

Option 2: Passwordless sudo

# On the remote host, add to /etc/sudoers.d/ansible:
deploy ALL=(ALL) NOPASSWD: ALL

Or with Ansible (bootstrap):

- copy:
    content: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL"
    dest: "/etc/sudoers.d/{{ ansible_user }}"
    mode: '0440'
    validate: 'visudo -cf %s'
  become: true

Option 3: Set in Inventory

[all:vars]
ansible_become_password={{ vault_sudo_password }}

Option 4: Set in ansible.cfg

[privilege_escalation]
become = True
become_method = sudo
become_ask_pass = True

Vault-Encrypted Password

# group_vars/all/vault.yml (encrypted)
vault_become_password: "MySudoPassword"
# group_vars/all/main.yml
ansible_become_password: "{{ vault_become_password }}"

Per-Host sudo Password

[webservers]
web1 ansible_become_password="{{ vault_web1_sudo }}"
web2 ansible_become_password="{{ vault_web2_sudo }}"

Selective Privilege Escalation

# Don't use become globally — only where needed
- hosts: all
  tasks:
    - debug: msg="No sudo needed"
- apt: { name: nginx }
      become: true  # Only this task needs sudo

Troubleshoot

# Check if sudo works manually
ssh deploy@web1 'sudo -n whoami'
# Should output: root
# Check sudoers on remote host
ssh deploy@web1 'sudo -l'
# Verbose Ansible output
ansible web1 -m ping -b -vvv

FAQ

Why does --ask-become-pass ask only once?

Ansible assumes the same sudo password for all hosts. Use per-host ansible_become_password if passwords differ.

Can I use su instead of sudo?

become_method: su
ansible_become_password: "{{ root_password }}"

"sudo: a password is required" vs "Missing sudo password"?

Same issue — the remote host requires a password for sudo, and Ansible doesn't have one. Fix with any option above.

Related Articles

• switching users with Ansible become • the Ansible inventory deep-dive • understanding Ansible roles • Windows fleet automation with Ansible