What you'll learn
- Links
- error
- fix
- Understanding Ansible Privilege Escalation
- How `become` Works
- Common Privilege Escalation Errors
- Error 1: Missing sudo password
- Error 2: User is not in the sudoers file
- Error 3: Sorry, try again (wrong password)
- Error 4: sudo: a terminal is required
Today we're going to talk about Ansible troubleshooting and specifically about privilege escalation errors.
It happens when the connection user Ansible doesn't have the permission to perform the operation. The solution is simply to switch to the user with administrative rights. In Ansible you perform this operation enabling the `become` statement.
Behind the scenes Ansible is connecting to the target host using the normal user, switching to the administrative user and then executing the playbook code.
The standard privilege escalation method is `sudo` but more are available for example `su`, `pfexec`, `doas`, `pbrun`, `dzdo`, `ksu`, `runas`, `machinectl`, Centrify, etc.
Links
- [Understanding privilege escalation: become](https://docs.ansible.com/ansible/latest/user_guide/become.html)
## Playbook
The best way of talking about Ansible troubleshooting is to jump in a live Playbook to show you practically the privilege escalation error and how to solve it!
error
```yaml
---
- name: yum module Playbook
hosts: all
become: false
tasks:
- name: install package
yum:
name: git
state: present
```
fix
```yaml
---
- name: yum module Playbook
hosts: all
become: true
tasks:
- name: install package
yum:
name: git
state: present
```
Now you know better how to troubleshoot the most common Ansible error about privilege escalation.
Understanding Ansible Privilege Escalation
By default, Ansible connects to managed hosts as a regular user. Many tasks (installing packages, modifying system files, managing services) require **root** or administrative privileges. Ansible's `become` feature handles this.
How `become` Works
1. Ansible connects via SSH as `remote_user`
2. If `become: true`, it escalates privileges using `become_method` (default: `sudo`)
3. It switches to `become_user` (default: `root`)
4. The task executes with elevated privileges
Common Privilege Escalation Errors
Error 1: Missing sudo password
```
fatal: [server]: FAILED! => {"msg": "Missing sudo password"}
```
**Fix — provide the password:**
```bash
Interactive prompt
ansible-playbook playbook.yml --ask-become-pass
Or use -K shorthand
ansible-playbook playbook.yml -K
```
**Fix — passwordless sudo (recommended for automation):**
```bash
On the target host, add to /etc/sudoers.d/ansible
echo "devops ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/ansible
sudo chmod 440 /etc/sudoers.d/ansible
```
Error 2: User is not in the sudoers file
```
fatal: [server]: FAILED! => {"msg": "devops is not in the sudoers file. This incident will be reported."}
```
**Fix:**
```bash
As root on the target host
usermod -aG wheel devops # RHEL/CentOS/Fedora
usermod -aG sudo devops # Ubuntu/Debian
```
Error 3: Sorry, try again (wrong password)
```
fatal: [server]: FAILED! => {"msg": "Incorrect sudo password"}
```
**Fix:** Verify the password is correct. If using Ansible Vault:
```yaml
group_vars/all/vault.yml (encrypted)
an