Ansible Pilot

Mastering Ansible’s “Become” Feature: A Comprehensive Guide

Mastering Privilege Escalation in Ansible: Empowering Secure Automation with the “Become” Feature

August 22, 2023
Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons


Ansible, a cornerstone of modern automation, empowers system administrators with the tools to execute tasks efficiently across distributed environments. One of its notable features is “become,” which facilitates privilege escalation for specific tasks or playbooks. In this article, we’ll explore the various ways to use “become” effectively while adhering to best practices and security considerations.

Understanding Ansible’s “Become”

Privilege escalation allows executing commands or tasks with higher permissions, usually involving switching to a different user, most commonly the superuser (root). Ansible’s “become” feature serves as a pivotal mechanism for handling such elevated operations, enhancing the flexibility and security of automation.

The Best Resources For Ansible


Video Course

Printed Book


Using Become Directives

You can control privilege escalation using play or task directives, connection variables, or command-line options. Multiple ways of specifying privilege escalation settings exist, and understanding their precedence is crucial.

Putting “Become” into Practice

Let’s explore a few examples of how to use the “become” feature effectively:

  1. Managing a System Service as a Non-Root User: To manage a system service that requires root privileges while connected as a non-root user, use the default value of become_user (root):
 — name: Ensure the httpd service is running
     name: httpd
     state: started
   become: true
  1. Running a Command as a Specific User: To execute a command as a different user, specify the become_user parameter:
 — name: Run a command as the apache user
   ansible.builtin.command: echo "Hello"
   become: true
   become_user: apache
  1. Executing a Command as the “nobody” User: When dealing with the “nobody” user and the shell is set to “nologin,” you can adjust the behavior using become_flags:
 — name: Run a command as nobody
   ansible.builtin.command: echo "Hello"
   become: true
   become_method: su
   become_user: nobody
   become_flags: ‘-s /bin/sh’

Securing Privilege Escalation

Security is paramount when utilizing privilege escalation. Ansible provides safeguards to manage temporary file permissions when becoming an unprivileged user. This is particularly relevant when the connection user and the become_user are unprivileged. Ansible employs various methods, such as POSIX ACLs, chown, and chmod +a to ensure file accessibility and security during task execution.

Limitations and Considerations

Network Automation and “Become”

For network automation scenarios, starting from Ansible 2.6, privilege escalation for entering enable mode is supported. It replaces the need for authorize and auth_pass options in a provider dictionary. This privilege escalation method can be employed for specific tasks, entire plays, or all plays.

Passwords for Enable Mode

Enabling enable mode often requires a password. This can be provided through the --ask-become-pass command-line option or set using the ansible_become_password connection variable in the Ansible Playbook. It’s essential to avoid storing passwords in plain text and consider utilizing Ansible Vault for encrypted password management.


Ansible’s “become” feature significantly enhances automation by enabling tasks to be executed with elevated privileges. By understanding how to use directives, connection variables, and command-line options, you can wield privilege escalation effectively and securely. With these insights and best practices, you’ll be equipped to manage tasks that demand higher permissions while maintaining the integrity of your systems and data.

Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.


Learn the Ansible automation technology with some real-life examples in my

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 250+ Ansible code

Want to keep this project going? Please donate

Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons
Follow me

Subscribe not to miss any new releases