I'd like to run ansible such that:
remote user is 'normal' user
... who
becomes root viasudoto run a bunch of tasks... who '
becomes postgres user viasu - postgres, from root, to create a PostgreSQL database.
This is typical procedure for PostgreSQL world: a special user accessible only via su from root.
Specifying become-ish parameters in a play works only when connecting as root, as the CLI options override whatever is defined in a play.
Are there more elegant ways to achieve this other than adding sudo rules or running
command: /usr/bin/su - postgres -c '/bin/createuser -D -R -S myuser
from ansible, telling it to shut the warnings up?
Why would you have to change effective users twice?
You can specify the effective user ID that ansible needs to run as per task, so when you need to run a command as the postgres user, set that directly.
Frequently when a user gets
sudopermissions to becomerootthey already getALLand become any user, including postgres.Alternative, create an additional sudo permission such that your ansible user can execute (specific) commands as the postgres user.
Note: Consider using the Ansible Postgres database modules to manage your databases, roles and permissions.
In response to your comment: I connect with Ansible as a regular user:
I have a fairly typical "
/etc/sudoers.d/hbruijn" snippet that doesn't place any restrictions on what I (my Ansible user) can do:And then I can
becomeany user to execute commands under a different user ID and task without calling onsudoorsufirst:or:
all without Ansible connecting directly as the superuser.