Skip to content
Latchkey

Ansible "Permission denied" / become (sudo) failure in CI

Authentication is the problem, not connectivity: either SSH rejects the key at login, or the task connected but become (sudo) cannot escalate without a password.

What this error means

A task fails with "Permission denied (publickey)" at SSH login, or with "Missing sudo password" / "Incorrect sudo password" when a become task tries to escalate.

ansible
fatal: [db01]: FAILED! => {"msg": "Failed to connect to the host via ssh:
db01: Permission denied (publickey)."}

# or, on escalation:
fatal: [db01]: FAILED! => {"msg": "Missing sudo password"}

Common causes

SSH key not accepted

The runner has no matching private key, the wrong user, or the public key is not in the target authorized_keys.

become needs a password

sudo on the target requires a password and none was provided via --ask-become-pass or ansible_become_password.

How to fix it

Provide the right key and become password

Load the SSH key into the agent and supply the become password from a secret (or configure passwordless sudo).

.github/workflows/ci.yml
eval "$(ssh-agent -s)"
ssh-add - <<< "${{ secrets.DEPLOY_SSH_KEY }}"
ansible-playbook -i inventory site.yml \
  -u deploy --become \
  --extra-vars "ansible_become_password=${{ secrets.SUDO_PASSWORD }}"

Fix the SSH identity

  1. Confirm the correct user (ansible_user / -u) for the target.
  2. Ensure the public key is in the target authorized_keys.
  3. Verify the private key on the runner matches it.

How to prevent it

  • Inject SSH keys and become passwords from CI secrets, never in code.
  • Prefer passwordless sudo for the deploy user where policy allows.
  • Set ansible_user explicitly to avoid wrong-user logins.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →