If you need to provide a unique sudo password for each host, you'll want to set the ansible_become_pass in either your inventory or in an appropriate file in your host_vars directory.
You obviously don't want to store the password in cleartext, so we can use ansible-vault to encrypt the information so that a single password, provided at runtime, permits Ansible to read the passwords.
Assuming that we have an inventory with three hosts, server, server2, and server3, we would first ensure that there exists a host_vars directory adjacent to our playbook:
mkdir host_vars
Next, we use the following command to create an encrypted file containing the ansible_become_pass variable:
ansible-vault create host_vars/server1.yml
This will prompt us for a vault password, and then open the file in an editor. We add content such as:
---
ansible_become_pass: secret1
Perform the same steps for server2 and server3, using the same vault password each time (and setting ansible_become_pass to the unique sudo password for each host). We now have the following files:
$ find . -type f
./playbook.yml
./host_vars/server2.yml
./host_vars/server3.yml
./host_vars/server1.yml
Now, we would run our playbook like this:
ansible-playbook playbook.yml --ask-vault-pass
This will prompt us for the vault password:
Vault password:
And now Ansible will be able to escalate privileges on the target hosts.
