Skip to content
DevOps AI ToolKit
Newsletter
All guides
AI for Ansible By James Joyner IV · · 10 min read

Choosing Ansible become Methods Beyond sudo With AI

Pick the right Ansible become method beyond sudo, with AI help: doas, su, pbrun, and machinectl, configured with safe password handling and least privilege.

  • #ansible
  • #ai
  • #become
  • #security
  • #privilege-escalation

Almost everyone writes become: true and never thinks about what’s underneath it. On a typical Linux box that’s sudo, and it works, so the question never comes up. Then you inherit a fleet that isn’t typical — a BSD-leaning host that runs doas, an environment where security policy mandates PowerBroker’s pbrun for every privileged action, a systemd-nspawn container where machinectl is the clean way in, or a locked-down box where sudo simply isn’t installed. Suddenly become: true fails with a cryptic error, and you discover that become was never synonymous with sudo at all.

This is a good place to lean on AI, not to write code but to match a become method to a set of constraints and configure it with the right flags. The methods differ in their flags, their prompt behavior, and their failure modes, and a wrong choice produces escalation errors that masquerade as authentication bugs. Let the model lay out the options; you make the security call.

become is a pluggable mechanism

Ansible’s privilege escalation is a plugin system. become_method selects the plugin, and the common ones are sudo, su, doas, pbrun, pfexec, runas (Windows), and machinectl. You pick the method, the user to become, and any flags that method needs:

- hosts: bsd_hosts
  become: true
  become_method: doas
  become_user: root
  tasks:
    - name: install a package
      community.general.pkgng:
        name: nginx
        state: present

The method has to actually exist and be configured on the target. doas needs a doas.conf rule permitting the run; pbrun needs the PowerBroker policy to allow it; sudo needs the sudoers entry. Ansible escalates through the host’s existing policy — it doesn’t bypass it — so half of “become failed” debugging is really “the host’s escalation rule doesn’t permit this.”

Matching method to environment

The choice follows from constraints you can enumerate. I describe them to AI and ask for a justified pick:

I have three host classes: FreeBSD boxes that use doas, RHEL boxes where corporate policy requires pbrun for all privileged actions, and a set of systemd-nspawn containers. For each, recommend the become_method, the flags it needs, and where the config should live (group_vars vs play). Note any method that can’t do passwordless and how I’d handle the password securely.

The useful answer is a per-class recommendation with reasons: doas for the BSD hosts because that’s what’s installed and policy-permitted; pbrun for the RHEL hosts because it’s mandated and produces the audit trail compliance wants; machinectl for the containers because it’s the native systemd path. Method to constraint, every time — not “use sudo and force it.”

Scoping the config to the host class keeps it clean:

# group_vars/bsd_hosts.yml
ansible_become_method: doas
ansible_become_user: root

# group_vars/rhel_pbrun.yml
ansible_become_method: pbrun
ansible_become_flags: '-u root'

Handling become passwords without leaking them

This is the part that turns a config choice into a security decision. Some methods prompt for a password, and the lazy fix is to drop ansible_become_password straight into inventory so automation runs unattended. That plaintext value is a root-equivalent credential sitting in your repo, readable by anyone with clone access. Don’t.

For interactive runs, prompt at runtime:

ansible-playbook site.yml --ask-become-pass

For automation, vault the password so it’s encrypted at rest:

# group_vars/rhel_pbrun/vault.yml  (encrypted with ansible-vault)
ansible_become_password: "{{ vault_become_password }}"
ansible-playbook site.yml --vault-id prod@prompt

I make AI default to one of these two paths and never to plaintext, and I check the diff before committing to be sure no become password slipped into a regular vars file. A leaked become password isn’t a config bug; it’s a root credential disclosure.

Pro Tip: Keep become passwords in vaulted files separate from your regular group_vars, and grep your repo for become_password before every commit. The cost of that habit is seconds; the cost of skipping it is a credential leak in git history that’s painful to fully purge.

Least privilege: don’t become root by reflex

The other quiet mistake is escalating to root everywhere because it’s easy. Every task that becomes root widens the blast radius if something goes wrong and expands the audit scope a compliance reviewer has to account for. Where a task only needs to act as a service account, become_user should say so:

- name: deploy as the app user, not root
  become: true
  become_user: appuser
  ansible.builtin.copy:
    src: release.tar.gz
    dest: /opt/app/releases/

I ask AI to flag any task escalating to root that doesn’t need it, and I take that seriously. Least privilege at the become layer is cheap to apply and genuinely narrows what a mistake — or a compromised playbook — can touch.

Verify escalation before the real run

A new become method is exactly the kind of thing to confirm with one trivial task before running a real playbook through it. The classic check is id:

# Confirm escalation works and lands as the expected user
ansible bsd_hosts -b -m command -a 'id' --limit 1
web01 | CHANGED | rc=0 >>
uid=0(root) gid=0(wheel) groups=0(wheel)

If that returns the user you expect, the method, flags, and policy all line up, and you can run the real playbook with confidence. If it fails, you’re debugging escalation in isolation — one host, one command — instead of in the middle of a fifty-task deploy where the error is buried.

become is a security boundary, not a checkbox. When you step beyond sudo, let AI help you match the method to the host class and wire up the flags, but own the password handling, the least-privilege scope, and the id verification yourself. Those are the parts where a careless choice becomes a credential leak or a wider blast radius than you meant.

For debugging escalation failures specifically, see AI-assisted Ansible: debugging become and connection failures and the AI for Ansible category. For a reusable method-selection prompt, browse the Ansible prompts.

Free download · 368-page PDF

Download the Free 500-Prompt DevOps AI Toolkit

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.