Ansible "Missing sudo password" - Fix become Privilege in CI
A task escalated privileges with become, but the target requires a sudo password and the run provided none. Ansible cannot become root, so the task fails before doing any work.
What this error means
A become: true task fails with Missing sudo password (or Incorrect sudo password). It is deterministic - without passwordless sudo or a supplied become password, every privileged task fails the same way.
fatal: [app01]: FAILED! => {"msg": "Missing sudo password"}
# or
fatal: [app01]: FAILED! => {"msg": "Incorrect sudo password"}Common causes
Target requires a sudo password
The remote user is not configured for passwordless sudo, so become needs --ask-become-pass or ansible_become_password. In non-interactive CI nothing prompts, so it is simply absent.
Wrong become user or method
An incorrect become_user/become_method, or a stale password after rotation, makes escalation fail even when a password is supplied.
How to fix it
Supply the become password from a secret
Pass the privilege-escalation password via a CI secret rather than an interactive prompt.
- run: ansible-playbook -i inventory site.yml
env:
ANSIBLE_BECOME_PASSWORD: ${{ secrets.SUDO_PASSWORD }}Or configure passwordless sudo for the deploy user
- Grant the deploy user
NOPASSWDsudo in a/etc/sudoers.d/drop-in on the target. - Confirm
become_user/become_methodmatch the target’s configuration. - Verify with
ansible host -b -m pingbefore running the full play.
How to prevent it
- Use a dedicated deploy user with passwordless sudo, or inject the become password from a CI secret.
- Pin
become_userandbecome_methodin inventory. - Test escalation early with
-b -m pingto fail fast.