Ansible chown operation not permitted for non-root user

Question

I have the following in an Ansible playbook:

- name: Create certificates directory
  file:
    dest: "{{ '~/wireguard/certs' | expanduser }}"
    state: directory
    owner: "{{ ansible_user_id }}"
    group: "{{ ansible_user_id }}"
    mode: 0700
  run_once: true
  delegate_to: localhost

However, when it gets run in the playbook, I get the following error:

fatal: [1.2.3.4 -> localhost]: FAILED! => {
  "changed": false,
  "gid": 1000,
  "group": "alex",
  "mode": "0755",
  "msg": "chown failed: [Errno 1] Operation not permitted: b'/home/alex/wireguard'",
  "owner": "alex",
  "path": "/home/alex/wireguard",
  "size": 4096,
  "state": "directory",
  "uid": 1000
}

Do I need to run this as root or is it something else? If I do need to run it as root, does become work?

Answer 1

Do I need to run this as root or is it something else?

root is needed. See for example Changing Ownership

"The super user, root, has the unrestricted capability to change the ownership of any file but normal users can change the ownership of only those files that they own."

This practically means that normal users are only able to change the group of a file they own to a group they are a member of.

If I do need to run it as root, does become work?

Yes. become works. Frequently used become plugin is sudo. Default value of become_user is root.

- file:
  become: yes
  become_method: sudo
  ...

Generally, enable remote/login user to become root. But in your specific case, because of delegate_to: localhost, enable the user who is running the play. For example change at localhost

$ grep alex /etc/sudoers
alex ALL=(ALL) NOPASSWD: ALL

See plugin list for other options.

Answer 2

I realized that ansible_user_id didn't have the username that I was expecting, so I was trying to change the ownership to a user that didn't exist. I fixed it by setting a new variable to my local user.