Ansible Tower: Manage Nodes as a Non-Root User


    Ansible Tower: Manage Nodes as a Non-Root User

    In this video I set up a non-root user to manage nodes and escalate privileges via Sudo.

    1) Add a user to your managed nodes (‘ansible’ user in this case)

    1a) Create an Ansible hosts file with one server on each line (or IP):

    1b) Create a text file containing the password you want this user to have, on a single line.

    1c) Create a shell script that will read both of the above files, loop through the hosts, create the ansible user, and add them to the Sudo group.

    user=root # logging into each host as root user
    password=$(cat ansible_node_password.txt) # reading password from 1b
    opensslPw=$(openssl passwd -1 $password) #creating hashed value for useradd
    # creating the ansible user and adding them to the wheel (sudo) group
    commands=”useradd -p ‘$opensslPw’ ansible; usermod -aG wheel ansible
    # looping through each host
    for host in $(cat ansible_hosts.txt); do
    # connecting to each host with ssh and running the commands
    ssh -l $user $host $commands

    # note, you will have to enter the root password of your managed nodes for this
    # you can also set ssh public key authentication on your nodes to not use a password

    2) With the ansible user created on the managed nodes, create a ‘Credential’ in Ansible Tower.

    2a) Credential Type is ‘Machine’ and you enter the USERNAME, PASSWORD, and PRIVILEGE ESCALATION PASSWORD.
    2b) Also set the PRIVILEGE ESCALATION METHOD to ‘sudo’.

    3) Add ‘become: yes’ to the appropriate location in your playbook.
    3a) See the Ansble documentation for more details:

    4) Update the job template in the Templates section and change CREDENTIALS to the one you just created.

    5) The playbook should be good to run as a non-root user.


    Previous articleZABBIX – How To Close Problem
    Next articlePipeline Devops – 1.40. ANSIBLE : playbook et rôles


    1. Hello, great video it is quite useful, but I have a serious problem.
      I need to lunch a playbook that will do security updates on more than 100 linux servers with all different passwords, that's were it gets tricky : I do not want to interact with anything once I started the job.
      I've been looking into this for many days now but can seem to find anything.
      Hope you might have some clues to my dilemma.