[This isn't so much an issue as it's documentation for anyone else stumbling over this problem]

In my use-case, I need to run the Gitlab Runner as a corporate user (instead of the more usual gitlab-runner user that is created by the installation package). I looked into the vars settings in the Ansible role, but this turns not to be the way to solve this (or at least, I don't think it is).

Instead, I created a gitlab-runner-post role, in which I make a Systemd directory if it doesn't exist, and then write in an alternative ExecStart= override 'stub' to run as my chosen user. I broadly speaking followed this advice: https://stackoverflow.com/a/54831977/917444

The Ansible is this:

- name: Make a systemd override directory
  file:
    path: /etc/systemd/system/gitlab-runner.service.d
    owner: root
    group: root
    mode: "0755"
    state: directory

- name: Tell Systemd to start the runner as the robouser
  template:
    src: gitlab-runner-service.j2
    dest: /etc/systemd/system/gitlab-runner.service.d/exec_start.conf
    owner: root
    group: root
    mode: "0644"
  notify:
    - daemon reload
    - restart gitlab-runner

The template I put into Systemd is:

[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=
ExecStart=/usr/bin/gitlab-runner "run" "--working-directory" "/home/{{ gitlab-runner-user }}" "--config" "/etc/gitlab-runner/config.toml" "--service" "gitlab-runner" "--user" "{{ gitlab-runner-user }}"

(I copied this from the actual systemd service unit file, but note that I added ExecStart=)

FWIW, my 'post' role also includes writing out some scripts for additional monitoring and whatnot, but the main thing here is that Gitlab's runner process starts as root, but the executors run as the corporate user instead of the default one.