I was trying to allow a user to sudo to another account and run a specific command. I'm not a fan of getting them to run through su since it doesn't make much sense to involve a third tool in the equation. I could get it working with the following:
theiruser ALL=(runasuser) NOPASSWD:/usr/local/bin/script.sh
The user could run script.sh with sudo -u runasuser /usr/local/bin/script.sh and it worked as expected but if they tried sudo -iu runasuser /usr/local/bin/script.sh they got prompted for a password as the command didn't match.
I found out that the -i option runs the command through their login shell with a -c option, so in the instance of this user, /bin/bash. So I just had to change the sudoers to this:
theiruser ALL=(runasuser) NOPASSWD:/bin/bash -c /usr/local/bin/script.sh
sudo -iu runasuser /usr/local/bin/script.sh
works as expected.