DevOpsil
Ansible
85%
Needs Review

Fix Ansible 'Permission Denied' on Become (Sudo)

Zara BlackwoodZara Blackwood4 min read

The Error: Permission Denied on Become

Your Ansible playbook fails when trying to use become: true:

fatal: [web-server-01]: FAILED! => {
    "msg": "Missing sudo password"
}

Or:

fatal: [web-server-01]: FAILED! => {
    "msg": "Incorrect sudo password"
}

Or the more cryptic:

fatal: [web-server-01]: FAILED! => {
    "msg": "Failed to set permissions on the temporary files Ansible
    needs to create when becoming an unprivileged user"
}

Ansible connects via SSH successfully but cannot escalate privileges to root (or another user) using sudo.

Root Cause

Ansible's become directive runs tasks as a different user, typically root via sudo. The failure happens because:

  1. Sudo requires a password but Ansible was not given one
  2. The user is not in sudoers or sudoers syntax is incorrect
  3. requiretty is set in sudoers — blocks non-interactive sudo
  4. The become password is wrong — typo or expired password
  5. Sudo is not installed — minimal container or cloud images may lack it

Step-by-Step Fix

1. Provide the sudo password to Ansible

If the remote user requires a password for sudo:

# Prompt for the password at runtime
ansible-playbook site.yml --ask-become-pass

# Or set it in inventory (encrypted with Ansible Vault)
ansible-vault encrypt_string 'the-sudo-password' --name 'ansible_become_password'

Add the encrypted variable to your inventory or group_vars:

# group_vars/all.yml
ansible_become_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  6162636465666768...

2. Configure passwordless sudo on the target

The preferred approach is to allow the deploy user to sudo without a password:

# On the target server
sudo visudo -f /etc/sudoers.d/deploy

Add:

deploy ALL=(ALL) NOPASSWD: ALL

Verify the file has correct permissions:

sudo chmod 440 /etc/sudoers.d/deploy
sudo visudo -c  # Validate syntax

Or use Ansible itself to bootstrap this (with --ask-become-pass the first time):

- name: Configure passwordless sudo
  hosts: all
  become: true
  tasks:
    - name: Add deploy user to sudoers
      copy:
        content: "deploy ALL=(ALL) NOPASSWD: ALL\n"
        dest: /etc/sudoers.d/deploy
        mode: '0440'
        validate: 'visudo -cf %s'

3. Disable requiretty in sudoers

Some distributions (notably older RHEL/CentOS) set requiretty by default:

# Check if requiretty is set
sudo grep requiretty /etc/sudoers

If you see Defaults requiretty, override it for the deploy user:

# /etc/sudoers.d/deploy
Defaults:deploy !requiretty
deploy ALL=(ALL) NOPASSWD: ALL

Or in Ansible, use pipelining which avoids the tty requirement:

# ansible.cfg
[ssh_connection]
pipelining = True

4. Fix become configuration in Ansible

Verify your playbook and ansible.cfg have correct become settings:

# In the playbook
- hosts: webservers
  become: true
  become_method: sudo     # default; also supports: su, pbrun, pfexec, doas
  become_user: root       # default
  tasks:
    - name: Install nginx
      apt:
        name: nginx
        state: present
# ansible.cfg
[privilege_escalation]
become = True
become_method = sudo
become_user = root
become_ask_pass = False

5. Fix the temporary file permission error

The error about "temporary files" occurs when becoming an unprivileged user (not root):

- name: Run as appuser
  command: whoami
  become: true
  become_user: appuser    # Non-root user

Fix by enabling pipelining or setting allow_world_readable_tmpfiles:

# ansible.cfg
[defaults]
allow_world_readable_tmpfiles = True   # Less secure but fixes the issue

# Better approach: use pipelining
[ssh_connection]
pipelining = True

Or ensure the become user's home directory and /tmp have correct ACL support:

# On the target
sudo setfacl -m u:appuser:rwx /tmp/.ansible/tmp 2>/dev/null || true

6. Verify sudo works manually

# SSH to the target and test
ssh [email protected]
sudo -l
# Should list allowed commands

sudo whoami
# Should output: root

If sudo -l fails, the problem is on the target's sudoers configuration, not Ansible.

Prevention Tips

  • Use passwordless sudo for automation accounts — store human passwords in Vault but automate with NOPASSWD.
  • Always validate sudoers syntax before saving — a syntax error in sudoers locks out sudo entirely. Use visudo -cf or Ansible's validate parameter.
  • Enable pipelining in ansible.cfg — it reduces the number of SSH sessions, avoids tty issues, and speeds up execution.
  • Use a dedicated automation user (e.g., ansible or deploy) with limited sudoers scope rather than giving NOPASSWD to a personal account.
  • Test privilege escalation with ansible all -m command -a 'whoami' --become before running full playbooks.
Share:

Was this article helpful?

Zara Blackwood
Zara Blackwood

Platform Engineer

Terraform enthusiast, platform builder, DRY advocate. I believe infrastructure should be versioned, reviewed, and deployed like any other code. GitOps or bust.

Related Articles

More in Ansible

View all →

Discussion