Skip to content
Latchkey

Ansible "Missing sudo password" - Fix become Privilege in CI

A task escalated privileges with become, but the target requires a sudo password and the run provided none. Ansible cannot become root, so the task fails before doing any work.

What this error means

A become: true task fails with Missing sudo password (or Incorrect sudo password). It is deterministic - without passwordless sudo or a supplied become password, every privileged task fails the same way.

ansible output
fatal: [app01]: FAILED! => {"msg": "Missing sudo password"}
# or
fatal: [app01]: FAILED! => {"msg": "Incorrect sudo password"}

Common causes

Target requires a sudo password

The remote user is not configured for passwordless sudo, so become needs --ask-become-pass or ansible_become_password. In non-interactive CI nothing prompts, so it is simply absent.

Wrong become user or method

An incorrect become_user/become_method, or a stale password after rotation, makes escalation fail even when a password is supplied.

How to fix it

Supply the become password from a secret

Pass the privilege-escalation password via a CI secret rather than an interactive prompt.

.github/workflows/deploy.yml
- run: ansible-playbook -i inventory site.yml
  env:
    ANSIBLE_BECOME_PASSWORD: ${{ secrets.SUDO_PASSWORD }}

Or configure passwordless sudo for the deploy user

  1. Grant the deploy user NOPASSWD sudo in a /etc/sudoers.d/ drop-in on the target.
  2. Confirm become_user/become_method match the target’s configuration.
  3. Verify with ansible host -b -m ping before running the full play.

How to prevent it

  • Use a dedicated deploy user with passwordless sudo, or inject the become password from a CI secret.
  • Pin become_user and become_method in inventory.
  • Test escalation early with -b -m ping to fail fast.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →