Fix Ansible 'Permission Denied' on Become (Sudo)
The Error: Permission Denied on Become
Your Ansible playbook fails when trying to use become: true:
fatal: [web-server-01]: FAILED! => {
"msg": "Missing sudo password"
}
Or:
fatal: [web-server-01]: FAILED! => {
"msg": "Incorrect sudo password"
}
Or the more cryptic:
fatal: [web-server-01]: FAILED! => {
"msg": "Failed to set permissions on the temporary files Ansible
needs to create when becoming an unprivileged user"
}
Ansible connects via SSH successfully but cannot escalate privileges to root (or another user) using sudo.
Root Cause
Ansible's become directive runs tasks as a different user, typically root via sudo. The failure happens because:
- Sudo requires a password but Ansible was not given one
- The user is not in sudoers or sudoers syntax is incorrect
requirettyis set in sudoers — blocks non-interactive sudo- The become password is wrong — typo or expired password
- Sudo is not installed — minimal container or cloud images may lack it
Step-by-Step Fix
1. Provide the sudo password to Ansible
If the remote user requires a password for sudo:
# Prompt for the password at runtime
ansible-playbook site.yml --ask-become-pass
# Or set it in inventory (encrypted with Ansible Vault)
ansible-vault encrypt_string 'the-sudo-password' --name 'ansible_become_password'
Add the encrypted variable to your inventory or group_vars:
# group_vars/all.yml
ansible_become_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
6162636465666768...
2. Configure passwordless sudo on the target
The preferred approach is to allow the deploy user to sudo without a password:
# On the target server
sudo visudo -f /etc/sudoers.d/deploy
Add:
deploy ALL=(ALL) NOPASSWD: ALL
Verify the file has correct permissions:
sudo chmod 440 /etc/sudoers.d/deploy
sudo visudo -c # Validate syntax
Or use Ansible itself to bootstrap this (with --ask-become-pass the first time):
- name: Configure passwordless sudo
hosts: all
become: true
tasks:
- name: Add deploy user to sudoers
copy:
content: "deploy ALL=(ALL) NOPASSWD: ALL\n"
dest: /etc/sudoers.d/deploy
mode: '0440'
validate: 'visudo -cf %s'
3. Disable requiretty in sudoers
Some distributions (notably older RHEL/CentOS) set requiretty by default:
# Check if requiretty is set
sudo grep requiretty /etc/sudoers
If you see Defaults requiretty, override it for the deploy user:
# /etc/sudoers.d/deploy
Defaults:deploy !requiretty
deploy ALL=(ALL) NOPASSWD: ALL
Or in Ansible, use pipelining which avoids the tty requirement:
# ansible.cfg
[ssh_connection]
pipelining = True
4. Fix become configuration in Ansible
Verify your playbook and ansible.cfg have correct become settings:
# In the playbook
- hosts: webservers
become: true
become_method: sudo # default; also supports: su, pbrun, pfexec, doas
become_user: root # default
tasks:
- name: Install nginx
apt:
name: nginx
state: present
# ansible.cfg
[privilege_escalation]
become = True
become_method = sudo
become_user = root
become_ask_pass = False
5. Fix the temporary file permission error
The error about "temporary files" occurs when becoming an unprivileged user (not root):
- name: Run as appuser
command: whoami
become: true
become_user: appuser # Non-root user
Fix by enabling pipelining or setting allow_world_readable_tmpfiles:
# ansible.cfg
[defaults]
allow_world_readable_tmpfiles = True # Less secure but fixes the issue
# Better approach: use pipelining
[ssh_connection]
pipelining = True
Or ensure the become user's home directory and /tmp have correct ACL support:
# On the target
sudo setfacl -m u:appuser:rwx /tmp/.ansible/tmp 2>/dev/null || true
6. Verify sudo works manually
# SSH to the target and test
ssh [email protected]
sudo -l
# Should list allowed commands
sudo whoami
# Should output: root
If sudo -l fails, the problem is on the target's sudoers configuration, not Ansible.
Prevention Tips
- Use passwordless sudo for automation accounts — store human passwords in Vault but automate with NOPASSWD.
- Always validate sudoers syntax before saving — a syntax error in sudoers locks out sudo entirely. Use
visudo -cfor Ansible'svalidateparameter. - Enable pipelining in
ansible.cfg— it reduces the number of SSH sessions, avoids tty issues, and speeds up execution. - Use a dedicated automation user (e.g.,
ansibleordeploy) with limited sudoers scope rather than giving NOPASSWD to a personal account. - Test privilege escalation with
ansible all -m command -a 'whoami' --becomebefore running full playbooks.
Was this article helpful?
Platform Engineer
Terraform enthusiast, platform builder, DRY advocate. I believe infrastructure should be versioned, reviewed, and deployed like any other code. GitOps or bust.
Related Articles
Fix Ansible 'Unreachable' Host Errors
Resolve Ansible unreachable host failures — diagnose SSH connectivity, key auth, Python interpreter, and timeout issues.
Ansible Custom Filters: Transforming Data In Jinja2 Templates
If you've spent any serious time with Ansible, you've probably hit the wall where the built-in Jinja2 filters just don't cut it anymore. You're wrestling w...
Ansible Handlers: Triggering Service Restarts Only When Configuration Changes
If you've spent any time managing infrastructure with Ansible, you've probably run into this scenario: you're deploying a configuration change to nginx acr...
Ansible Tags: Selective Task Execution For Faster Deployments
If you've ever run a full Ansible playbook just to push a single config change and watched it grind through 47 tasks before touching the one you care about...
Ansible Dynamic Inventory: Automating Cloud Infrastructure
Use dynamic inventories to automatically discover and manage cloud infrastructure — AWS EC2, Azure VMs, and GCP instances with Ansible inventory plugins.
Ansible Fundamentals: Your First Playbook to Production
Learn Ansible from scratch — install Ansible, write your first playbook, understand modules, manage inventories, and automate server configuration.
More in Ansible
View all →Ansible Roles and Galaxy: Structuring Automation at Scale
Structure your Ansible automation with roles for reusability. Learn role directory structure, Galaxy usage, dependencies, and testing with Molecule.
Ansible Vault: Encrypting Secrets in Your Automation
Encrypt sensitive data with Ansible Vault — encrypt files, inline variables, multi-password setups, and integrate with external secret managers like HashiCorp Vault.