Ansible user module helps us to manage user accounts in Linux systems including creating user accounts, deleting them, setting passwords, adding groups to each user, etc.
How to create users in Ansible
Let us first see how to write a basic task for creating a Linux user using the Ansible user module.
There is only one mandatory parameter which is the name parameter. This is the name of the user account which you want to create. But if you are not providing the password, the account will be in a locked state, which means you cannot login using the password option. For example, I created a new user without setting the password parameter. When I am trying to log in, it will be asking for the password. But since I have not set the password I cannot log in. Also, as you can see in the following /etc/shadow, the account is locked.
test1:!:17441:0:99999:7:::
So it is better to set a password also while creating a new user.
While giving the password, you have to give it as a hash value and not cleartext(Except on Darwin system). Click here to know more about generating the hash value.
The home directory for the user will also be created at /home/test2 by default. You have the option to choose your home directory by setting the home parameter. The password given in the below task is a hash of string ‘test1’.
The password provided in the below task is a hash of string ‘test1’.
- hosts: all
tasks:
- name: Ansible create user example.
user:
name: test2
password: $6$53uLlaE42OzJi8k1$nah2F17o2XYc1rMg1bZwlIY2XRdgnYrqwVGUJC
bsnpwtqCAGxyn9eN/RRdZNugHbcOLjz/.y4Slou4ut7yl3P0
mdtutorials2@system01:~$ sudo vim /etc/shadow ... test2:$6$53uLlaE42OzJi8k1$nah2F17o2XYc1rMg1bZwlIY2XRdgnYrqwVGUJCbsnpwtqCAGxyn9eN/RRdZNugHbcOLjz/.y4Slou4ut7yl3P0:17441:0:99999:7:::
1.2 Adding a User to Group in Ansible
There are other options which will be helpful while creating a new user. For the full set of parameters refer the Ansible docs.
In order to add a user to certain groups, you can use the ‘groups’ parameter. In the following example, I am setting the groups of the user test2, which was already created, to root and ubuntu.
- hosts: all
tasks:
- name: ansible add user to group example
user:
name: test3
groups: root, ubuntu
output
======
mdtutorials2@system01:~$ groups test3
test3: test3 root ubuntu
Note: This will overwrite the existing set of users. For example, if I give another task below with only ‘root’ against the ‘groups’ parameter, then the user is removed from ubuntu group.
mdtutorials2@system01:~$ groups test3 test3 : test3 root
Note: If the group mentioned is not already present in the System, Ansible will throw an error like below.
fatal: [localhost]: FAILED! => {“changed”: false, “failed”: true, “msg”: “Group admins does not exist”}
1.3 Appending new groups to an existing user
If you do not want to overwrite the existing set of groups, then you can use the ‘append’ parameter. Just set the value of append parameter to ‘yes’. By default, the value is ‘yes’.
For example, if I need to add the test3 user to two more groups ‘googlecloud’ and ‘admin’, I can do the following.
- hosts: all
tasks:
- name: Ansible append user to group example.
user:
name: test3
groups: admin, googlecloud
append: yes
output
======
mdtutorials2@system01:~$ groups test3
test3 : test3 root admin googlecloud
1.4 Setting the primary group for a user
You can also set the primary group for a user. By default, the name of the user itself is taken as the primary group, which you can see from the ‘groups’ output of test3 user. You can use the ‘group’ parameter for setting the primary group for a user. Note that there is no ‘s’.
If the user is already existing, then the previous value of primary group will be overwritten.
For example, I am creating a new user test4 with the primary group set as ‘admin’
- hosts: all
tasks:
- name: ansible add the primary group for a user example
user:
name: test4
group: admin
output
======
mdtutorials2@system01:~$ groups test4
test4 : admin
Note: To remove a particular user from all the secondary groups you can execute the task with ‘groups’ parameter set to empty string. This will not remove the primary group.
How to remove a User in Ansible
Removing an existing user is easy. You just have to set the ‘state’ parameter to ‘absent’. It executes the ‘userdel’ command in the background.
The below task will delete the user test4 from the system.
- hosts: all
tasks:
- name: ansible remove user example
user:
name: test4
state: absent
output
======
mdtutorials2@system01:~$ groups test4
groups: ‘test4’: no such user
mdtutorials2@system01:~$ cd /home/test4
mdtutorials2@system01:/home/test4$
You can see the user test4 does not exist anymore. But the home directory still exists. If you want to remove the home directory also, you can set the remove parameter to ‘yes’. By default, the value is ‘no’. Also, set the force parameter to ‘yes’ for the forced removal of files.
The following task does the equivalent of ‘userdel test4 –remove –force’.
- hosts: all
tasks:
- name: ansible delete user to group example
user:
name: test4
state: absent
remove: yes
force: yes
output
======
mdtutorials2@system01:~$ groups test4
groups: ‘test4’: no such user
mdtutorials2@system01:~$ cd /home/test4
-bash: cd: /home/test4: No such file or directory
As you can see from the output, the user and the home directory is deleted for user ‘test4.’
