Ansible Tower: Manage Nodes as a Non-Root User

Ansible Tower: Manage Nodes as a Non-Root User

In this video I set up a non-root user to manage nodes and escalate privileges via Sudo.

1) Add a user to your managed nodes (‘ansible’ user in this case)

1a) Create an Ansible hosts file with one server on each line (or IP):
srv01
srv02

1b) Create a text file containing the password you want this user to have, on a single line.

1c) Create a shell script that will read both of the above files, loop through the hosts, create the ansible user, and add them to the Sudo group.

user=root # logging into each host as root user
password=$(cat ansible_node_password.txt) # reading password from 1b
opensslPw=$(openssl passwd -1 $password) #creating hashed value for useradd
# creating the ansible user and adding them to the wheel (sudo) group
commands=”useradd -p ‘$opensslPw’ ansible; usermod -aG wheel ansible”
# looping through each host
for host in $(cat ansible_hosts.txt); do
# connecting to each host with ssh and running the commands
ssh -l $user $host $commands
done

# note, you will have to enter the root password of your managed nodes for this
# you can also set ssh public key authentication on your nodes to not use a password

2) With the ansible user created on the managed nodes, create a ‘Credential’ in Ansible Tower.

2a) Credential Type is ‘Machine’ and you enter the USERNAME, PASSWORD, and PRIVILEGE ESCALATION PASSWORD.
2b) Also set the PRIVILEGE ESCALATION METHOD to ‘sudo’.

3) Add ‘become: yes’ to the appropriate location in your playbook.
3a) See the Ansble documentation for more details:
https://docs.ansible.com/ansible/latest/user_guide/become.html

4) Update the job template in the Templates section and change CREDENTIALS to the one you just created.

5) The playbook should be good to run as a non-root user.

source