On Tuesday, March 13, 2018 at 1:42:19 PM UTC-4, Patrick Hunt wrote:
> Good catch.  You're correct, it is possible, I was mistaken.  Practically 
> is it possible to be able to provide multiple sets of credentials for your 
> example?  I've always done a work around, such as I listed in the other 
> comment, since I can pass my current logon (-k) username/password, and can 
> pass 1 set of become credentials (-K), but not a 2nd or 3rd set of become 
> credentials.

Well, one of the advantages of sudo as a privilege escalation method is 
that there aren't separate sets of credentials for each escalation target, 
you just have to be permitted to run things as the users in question.

But, yes, it is possible to provide different credentials. It's easiest to 
do this non-interactively using a Vault-encrypted variable or another 
secret lookup method, but there are various ways to make it interactive.

- hosts: localhost
  become: true
    - command: whoami
      become_method: su
      become_user: flowerysong
        ansible_become_pass: "{{ user_passwords.flowerysong }}"
    - command: whoami

TASK [command] 
changed: [localhost] => {"changed": true, "cmd": ["whoami"], "delta": 
"0:00:00.002181", "end": "2018-03-13 15:15:47.586117", "rc": 0, "start": 
"2018-03-13 15:15:47.583936", "stderr": "", "stderr_lines": [], "stdout": 
"flowerysong", "stdout_lines": ["flowerysong"]}

TASK [command] 
changed: [localhost] => {"changed": true, "cmd": ["whoami"], "delta": 
"0:00:00.002159", "end": "2018-03-13 15:15:47.717122", "rc": 0, "start": 
"2018-03-13 15:15:47.714963", "stderr": "", "stderr_lines": [], "stdout": 
"root", "stdout_lines": ["root"]}

You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to