Following an example o ansible.cfg in order to illustrate this explanation.
[defaults] remote_user = myuser inventory = inventory [privilege_escalation] become = False become_method = sudo become_user = root become_ask_pass = False
The [defaults] mean the DEFAULT user and hosts(inventory) which will be used when the ansible command be executed. Then, if the following command is played, it means that ansible will connect in all servers/hosts defined in the inventory via a ssh with the user “myuser” and executed the command
cat /etc/myfile in each one.
$ansible myservers -m command -a 'cat /etc/myfile'
NOTE: In this example, the SSH key-based authentication for the myuser need already be done where the ansible is installed.
However, if you need other permission in the host to be allowed to perform some action then it can be defined in the [privilege_escalation] which means that after connecting via ssh in the server with the default user you will use the become_method and become_user to change the user and execute the command. Following an example where is required to write in the files which in this way requires a permission that the myuser doesn’t have. To perform it is required use the [privilege_escalation] setup.
$ansible myservers -m copy
-a 'content="COPY CONTENT WITH ANSIBLE.\n" dest=/etc/myfile' --become
Why the become is required in the above example?
--become is used to escalate the privilege. If you defined the become as true in the configuration file then it means that the privilege_escalation will be always executed by default and the –become parameter is no longer required.
Why the become_ask_pass is defined as False in this example?
It is defined as False in order to tell that is not required to ask the password when the sudo method be called. However, for it works in this example, the myuser used to connect need has the privilege granted in order to use the root user.
For further information see Understanding Privilege Escalation and Ansible Configuration Settings