You are reading an unmaintained version of the Ansible documentation. Unmaintained Ansible versions can contain unfixed security vulnerabilities (CVE). Please upgrade to a maintained version. See the latest Ansible documentation.

community.general.sudoers module – Manage sudoers files

Note

This module is part of the community.general collection (version 4.8.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.sudoers.

New in version 4.3.0: of community.general

Synopsis

• This module allows for the manipulation of sudoers files.

Parameters

Parameter	Comments
commands list / elements=string	The commands allowed by the sudoers rule. Multiple can be added by passing a list of commands. Use ALL for all commands.
group string	The name of the group for the sudoers rule. This option cannot be used in conjunction with user.
name string / required	The name of the sudoers rule. This will be used for the filename for the sudoers file managed by this rule.
nopassword boolean	Whether a password will be required to run the sudo’d command. Choices: no yes ← (default)
runas string added in 4.7.0 of community.general	Specify the target user the command(s) will run as.
state string	Whether the rule should exist or not. Choices: present ← (default) absent
sudoers_path string	The path which sudoers config files will be managed in. Default: “/etc/sudoers.d”
user string	The name of the user for the sudoers rule. This option cannot be used in conjunction with group.

Examples

- name: Allow the backup user to sudo /usr/local/bin/backup
  community.general.sudoers:
    name: allow-backup
    state: present
    user: backup
    commands: /usr/local/bin/backup

- name: Allow the bob user to run any commands as alice with sudo -u alice
  community.general.sudoers:
    name: bob-do-as-alice
    state: present
    user: bob
    runas: alice
    commands: ALL

- name: >-
    Allow the monitoring group to run sudo /usr/local/bin/gather-app-metrics
    without requiring a password
  community.general.sudoers:
    name: monitor-app
    group: monitoring
    commands: /usr/local/bin/gather-app-metrics

- name: >-
    Allow the alice user to run sudo /bin/systemctl restart my-service or
    sudo /bin/systemctl reload my-service, but a password is required
  community.general.sudoers:
    name: alice-service
    user: alice
    commands:
      - /bin/systemctl restart my-service
      - /bin/systemctl reload my-service
    nopassword: false

- name: Revoke the previous sudo grants given to the alice user
  community.general.sudoers:
    name: alice-service
    state: absent

Authors

• Jon Ellis (@JonEllis)

Collection links

Issue Tracker Repository (Sources) Submit a bug report Request a feature Communication