ansible lookup plugin privilege escalation does not seem to work

Question

It seems that the ansible lookup plugin does not adhere to privilege escalation and it is not clear to me if this is by design.

I have looked for an answer to this, but though I have found many similar questions, I haven't yet seen one which seems to answers why the following playbook behaves like it does.

---
- hosts: localhost
  become: 1
  tasks:

  - name: cat file
    command: cat /home/bob/.ssh/id_rsa.pub
    register: cat

  - debug:
      msg: |
        dog: {{ cat.stdout }}

  - name: add the variable
    set_fact:
      rsa_key: "{{ lookup('file', '/home/bob/.ssh/id_rsa.pub') }}"
    delegate_to: localhost

The result of running this play is that the command module "works" while the lookup module does not:

PLAY [localhost] *************************************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [cat file] **************************************************************************************************************************************************************************************************************************************************************
changed: [localhost]

TASK [debug] *****************************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => {
    "msg": "dog: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCl+xAFC2hwsLaWvCEOFHEz96AU8ltF1fA8ZNQp9Mkl6FFZUEFu2rAl+imSXm+xAPrWhqOoLgkYZKq6qAsqG3SqSisrr4uHGdC4F/5NBlgR7OqfAU76VfJRmcq4F01caXBJVuciZ0EX7KQcC6ixNpZweLPoRDBNntDJnDKVIbx8h7w3qAYRbYOsLv6OT7BLgldSrJSOYBOJ0/SLZIUDAvewPnPppkwZgMAMV12bXHzn5Imsn9S6K5riZ/n3oenOgW787w5XQI0xKsxO6g4NjzciMELafXfoq07+Gz53NMyo9/DHag2w8y6m+Js4axazMFFgcnS3Hrbc/tSejvarEynEktN1/+JTu8eEdKxtZYr2ez55SW+MOxZr14isQJDc0btduO4yJfXvJ6KooULVbqZyVnmun6pKgecsCDTy6kYQVV0oJgpixiquoLAMPN+nKzufaSgGTRbKnQuf+7w6X94ci3iIkpS7qxvQsZ/P61q7uQjhtsmG6qsk6/M9nIruJY0= ansible-generated on rh1.local.home\n"
}

TASK [add the variable] ******************************************************************************************************************************************************************************************************************************************************
[WARNING]: Unable to find '/home/bob/.ssh/id_rsa.pub' in expected paths (use -vvvvv to see paths)
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: /home/bob/.ssh/id_rsa.pub"}

PLAY RECAP *******************************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=3    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

I'm running this under a user, which is NOT "bob", and with become_user = root and become_method = sudo. Any ideas or a confirmation that indeed the lookup plugin ignores privilege escalation statements, would be appreciated.

Answer 1

Looking into to the actually code and commands to be found for the standard plugins for ansible I found this:

As all lookups, this runs on the Ansible host as the user running the playbook, and "become" does not apply, the target file must be readable by the playbook user, or, if it does not exist, the playbook user must have sufficient privileges to create it. (So, for example, attempts to write into areas such as /etc will fail unless the entire playbook is being run as root).'

Inside the password plugin. Hence, lookup plugins indeed ignore "become" escalation directives and hence it is "by design" this behavior though I find it rather counter intuitive, not well documented, and dislike it since it forces me to write ugly code to get around it ;-).