The "become" bits have to do with privilege escalation for Ansible tasks that run on the target hosts. Including/importing vars and friends happen on the Ansible controller, not the target hosts. It doesn't matter that your target host and your Ansible controller are the same host. Controller bits aren't privilege escalated.
On Thursday, March 17, 2022 at 12:19:21 PM UTC-4 actionm...@gmail.com wrote: > Let's suppose I run a playbook as a non-root user and one task needs to > include a vars file with only root permissions. > The ansible.builtin.include_vars official doc > <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/include_vars_module.html#attributes> > > states that:the 'become' attribute is not supported but "Is usable > alongside become keywords", which seems to contradict the fact that it is > unsupported. > I tried to use the become vars but that does not work either: > - name: Including vars issue > hosts: all > gather_facts: false > tasks: > - name: Creating a file with root-only permissions > vars: > ansible_become: yes > ansible_become_method: sudo > ansible_become_user: root > file: > group: 'root' > mode: '0640' > owner: 'root' > path: "../files/restricted_file" > state: touch > > - name: Including vars with root-only permissions > vars: > ansible_become: yes > ansible_become_method: sudo > ansible_become_user: root > include_vars: "../files/restricted_file" > ignore_errors: true > > - name: Including vars with non-root user permissions > vars: > ansible_become: yes > ansible_become_method: sudo > ansible_become_user: admin > include_vars: "../files/capabilities.json" > leads to: > ___________________________________________________ > < TASK [Creating a file with root-only permissions] > > --------------------------------------------------- > \ ^__^ > \ (oo)\_______ > (__)\ )\/\ > ||----w | > || || > > changed: [localhost] => changed=true > dest: ../files/restricted_file > gid: 0 > group: root > mode: '0640' > owner: root > size: 0 > state: file > uid: 0 > __________________________________________________ > < TASK [Including vars with root-only permissions] > > -------------------------------------------------- > \ ^__^ > \ (oo)\_______ > (__)\ )\/\ > ||----w | > || || > > fatal: [localhost]: FAILED! => changed=false > ansible_facts: {} > ansible_included_var_files: [] > message: 'an error occurred while trying to read the file > ''playbooks/issues/../files/restricted_file'': [Errno 13] Permission > denied: b''playbooks/files/restricted_file''. [Errno 13] Permission denied: > b''playbooks/files/restricted_file''' > ...ignoring > ______________________________________________________ > < TASK [Including vars with non-root user permissions] > > ------------------------------------------------------ > \ ^__^ > \ (oo)\_______ > (__)\ )\/\ > ||----w | > || || > > ok: [localhost] => changed=false > ... > > I'm probably missing something here; how can we work around this > limitation? > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/14852ec2-9325-429b-b82e-fcceb24b35b5n%40googlegroups.com.
