Ansible Privilege Escalation Errors: Troubleshoot become & sudo — Video Tutorial

Today we're going to talk about Ansible troubleshooting and specifically about privilege escalation errors. I'm Luca Berton and welcome to today's episode of Ansible Pilot. It happens when the connection user Ansible doesn't have the permission to perform the operation. The solution is simply to switch to the user with administrative rights. In Ansible you perform this operation enabling the `become` statement. Behind the scenes Ansible is connecting to the target host using the normal user, switching to the administrative user and then executing the playbook code. The standard privilege escalation method is `sudo` but more are available for example `su`, `pfexec`, `doas`, `pbrun`, `dzdo`, `ksu`, `runas`, `machinectl`, Centrify, etc. Links - [Understanding privilege escalation: become](https://docs.ansible.com/ansible/latest/user_guide/become.html) ## Playbook The best way of talking about Ansible troubleshooting is to jump in a live Playbook to show you practically the privilege escalation error and how to solve it! error ```yaml --- - name: yum module Playbook hosts: all become: false tasks: - name: install package yum: name: git state: present ``` fix ```yaml --- - name: yum module Playbook hosts: all become: true tasks: - name: install package yum: name: git state: present ``` Now you know better how to troubleshoot the most common Ansible error about privilege escalation. Understanding Ansible Privilege Escalation By default, Ansible connects to managed hosts as a regular user. Many tasks (installing packages, modifying system files, managing services) require **root** or administrative privileges. Ansible's `become` feature handles this. How `become` Works 1. Ansible connects via SSH as `remote_user` 2. If `become: true`, it escalates privileges using `become_method` (default: `sudo`) 3. It switches to `become_user` (default: `root`) 4. The task executes with elevated privileges Common Privilege Escalation Errors Error 1: Missing sudo password ``` fatal: [server]: FAILED! => {"msg": "Missing sudo password"} ``` **Fix — provide the password:** ```bash Interactive prompt ansible-playbook playbook.yml --ask-become-pass Or use -K shorthand ansible-playbook playbook.yml -K ``` **Fix — passwordless sudo (recommended for automation):** ```bash On the target host, add to /etc/sudoers.d/ansible echo "devops ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/ansible sudo chmod 440 /etc/sudoers.d/ansible ``` Error 2: User is not in the sudoers file ``` fatal: [server]: FAILED! => {"msg": "devops is not in the sudoers file. This incident will be reported."} ``` **Fix:** ```bash As root on the target host usermod -aG wheel devops # RHEL/CentOS/Fedora usermod -aG sudo devops # Ubuntu/Debian ``` Error 3: Sorry, try again (wrong password) ``` fatal: [server]: FAILED! => {"msg": "Incorrect sudo password"} ``` **Fix:** Verify the password is correct. If usin