How to Use Ansible Without Root Access: Ultimate Guide

Estimated reading time: 6 minutes

Last updated on September 6th, 2024 at 10:17 am

Using Ansible to manage the system often requires root privileges, but there are situations such as working in a shared environment, strict policy, or following the best practice where you might want to run Ansible without root access.

In this guide will learn about how to effectively use Ansible without root privileges configuration, best practices, common issues, and troubleshooting tips.

Introduction to Ansible Without Root

What Does It Mean to Run Ansible Without Root?

Integrating Ansible with Infrastructure as Code (IaC) tools like Terraform enhances automation and management.

Usually, when you manage the system with Ansible it involves the root privilege to install the package and configure them.

But what does it mean when we say run Ansible without root?

In simple words, running Ansible without root access means executing a playbook or interactive ad-hoc commands on a target remote system as a non-root user.

Running Ansible as non-root requires the specific configuration and necessary permission to ensure the task that needs root privilege can still be performed.

But before that let’s understand why you might need the Ansible without root privileges.

Fast-Track Your DevOps Career 🚀

Stay ahead of the curve with the latest industry insights. Get weekly tips & propel your skills to the next level.

Subscribe Now!

Why Would You Need to Use Ansible Without Root Privileges?

There are some reasons to avoid running Ansible as a root user:

Security:

Reduced Attack Surface: Limit the root access to make it harder for the attacked to gain control of the system function.

Misconfigurations: Running Ansible as a non-root user reduces the potential misconfiguration & limits the scope to that non-root user.

Terraform Where to Store Secrets: Best Practices and Solutions

Compliance:

Security Policies: Adhere the strict regulations that restrict root access to ensure the integrity of sensitive data.

Account Audits: Easier to track and audit the changes. Non-root actions are logged with verbose details.

Collaboration:

Reduced Human Error: One user’s mistake affects the entire system in a shared environment, limiting the root access to protect the overall system changes.

Improved Access Control: Assign the different levels of access control without affecting the other parts of the system.

Running as root can be a greater risk for the overall security and integrity of the system. Let’s learn about the prerequisites and configuration for Ansbile.

Prerequisites for Running Ansible Without Root

Necessary Permissions and Access Levels

Before moving forward into configuration, ensure the non-root user has the necessary permissions:

SSH Access: The user must have SSH access to the remote systems.

Sudo Access: Configure sudo permissions to allow the user to execute specific commands without a password.

Let’s check the example of sudoers configuration:

Bash
nonrootuser ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/yum

This configuration grants the user nonrootuser the ability to run apt-get and yum without a password.

Configuring Sudo for Non-Root Users

To avoid password prompt during Ansible playbook execution, you can configure sudo accordingly:

  1. Edit the sudoers file using visudo
  2. Add a line similar to the following:
Bash
nonrootuser ALL=(ALL) NOPASSWD: ALL

DevOps Efficiency Hacks in Your Inbox! 📩

Stop wasting time searching. Get weekly tips & tutorials to streamline your DevOps workflow.

Subscribe Now!

Configuring Ansible to Work Without Root Access

Adjusting the Ansible Inventory File

The inventory file defines the hosts and user accounts Ansible will manage.

Ensure the ansible_user the parameter is set to the non-root user:

Bash
[nginx-webserver]
192.168.1.10 ansible_user=nonrootuser

Using become and become_user Parameters

Ansible provides the become directive to execute tasks with different privileges.

Here’s how to use it in your playbooks:

Bash
- hosts: nginx-webservers
  become: true
  become_user: nonrootuser
  tasks:
    - name: Install Nginx
      apt:
        name: nginx
        state: present

This playbook installs Nginx as nonrootuser without requiring root access.

How to Run Ansible Playbooks Without Root Privileges

To run a playbook without root privileges, you must explicitly set the user and avoid tasks that require root access.

Bash
ansible-playbook -i inventory playbook.yml --ask-become-pass

This command will prompt for the sudo password if required but can be configured to skip it with NOPASSWD in the sudoers file.

So far we’ve learned about using the non-root access with the ad-hoc command and using the Ansible playbook. Let’s learn about some of the best practices.

Best Practices for Ansible Non-Root Configuration

Minimizing Security Risks

When you run Ansible without root, follow these best practices:

Limit Sudo PermissionsOnly grant the necessary permissions to the
non-root user.
Use Ansible VaultEncrypt sensitive data like passwords or API keys using Ansible Vault.
Audit ConfigurationsRegularly audit your sudoers file and user permissions.

Managing Playbook Execution Privileges

Carefully design & review your playbooks to ensure they only require necessary privileges. For example:

  • Use become: true only when necessary.
  • Break down playbooks into small tasks that don’t require elevated privileges.

Common Pitfalls and How to Avoid Them

Permission Issues The non-root user has access to all required files and directories to avoid issues.
Missed sudo configurationsDouble-check the sudoers file to prevent unnecessary password prompts and misconfiguration.

Level Up Your DevOps Skills! 📈

Get Weekly Tips, Tutorials & Master the Latest Trends – Subscribe Now!

Subscribe Now!

Troubleshooting Common Issues

Permission Denied Errors

Permission denied is the most common error. If you face permission denied errors, verify that the non-root user has the appropriate permissions.

You can easily check the file permission with:

Bash
ls -l /path/to/file

Ensure the file permissions allow access for the user.

Sudo Password Prompts

If running the Ansible command or playbook asks for a sudo password, and you want to avoid this, ensure NOPASSWD is correctly set in the sudoers file:

Bash
nonrootuser ALL=(ALL) NOPASSWD: ALL

Handling Specific Tasks Without Root Access

Some tasks require root access. In such cases, consider:

  • Using become selectively for those specific tasks.
  • Pre-configuring the environment to avoid root-requiring operations during playbook execution.

Conclusion

Running Ansible without root access is not only possible but can be the best security practice. Carefully configuring Ansible and managing permissions, you can maintain security and flexibility in your automation tasks.

Remember, while non-root execution is powerful, there are times when root access is required—plan your playbooks accordingly to avoid potential issues.

Kashyap Merai
Kashyap Merai

Kashyap Merai, a Certified Solution Architect and Public Cloud Specialist with over 7 years in IT. He helped startups in Real Estate, Media Streaming, and On-Demand industries launch successful public cloud projects.

Passionate about Space, Science, and Computers, He also mentors aspiring cloud engineers, shaping the industry's future.

Connect with him on LinkedIn to stay updated on cloud innovations.