ansible-vault 实现普通用户在加密环境下非交互式地执行su/sudo命令

ansible-play 目录结构

$ tree 
.
├── ansible.cfg
├── test.yml
├── vars.yml
└── vault_password_file

$ cat ansible.cfg 
[defaults]
remote_user = rokadmin
forks = 15
# inventory script
#inventory = /usr/local/inventory/get_host.py

# roles path
roles_path = ./roles

# temp files
remote_tmp = /tmp/ansible_tmp_$USER/
local_tmp = /tmp/ansible_tmp_$USER/

# ssh connect
remote_port = 4399
#remote_user = wd2admin
#private_key_file = roles/common/files/id_rsa-$USER
host_key_checking = False

# retry files
retry_files_enabled = False

# ansible log
log_path = /tmp/ansible_run_$USER.log

#ask_pass      = True

# if set, always use this private key file for authentication, same as
# if passing --private-key to ansible or ansible-playbook
#private_key_file = /path/to/file

# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
vault_password_file = ./vault_password_file

deprecation_warnings=False
allow_duplicates = True # if same role exists at diffrent position, run twice

[ssh_connection]
#ssh_args = '-o ProxyCommand="ssh -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no -p 4399 -W %h:%p -q rokadmin@103.14.33.233"'
#pipelining = True

$ cat vars.yml 
ansible_become_pass: xxx

$ cat test.yml 
- hosts: rok_global_ps.gm
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  gather_facts: false
  vars_files:
    - vars.yml
  tasks:
    - name: enable service rok-gm
      systemd:
        name: rok-gm
        daemon_reload: yes
        state: started
        enabled: True
      become: true
      become_method: su

执行

$ ansible-playbook test.yml