user¶
Collection Note
This module is part of the ansible.builtin collection. To install the collection, use:
Added in version0.2.
Synopsis¶
- Manage user accounts and user attributes.
- For Windows targets, use the M(ansible.windows.win_user) module instead.
Parameters¶
| Parameter | Defaults / Choices | Comments |
|---|---|---|
| append bool |
If V(true), add the user to the groups specified in O(groups). If V(false), user will only be added to the groups specified in O(groups), removing them from all other groups. |
|
| authorization str |
Sets the authorization of the user. Can set multiple authorizations using comma separation. To delete all authorizations, use O(authorization=''). Currently supported on Illumos/Solaris. Does nothing when used with other platforms. Version Added: 2.8 |
|
| comment str |
Optionally sets the description (aka I(GECOS)) of user account. On macOS, this defaults to the O(name) option. |
|
| create_home bool |
Default: True |
Unless set to V(false), a home directory will be made for the user when the account is created or if the home directory does not exist. Changed from O(createhome) to O(create_home) in Ansible 2.5. |
| expires float |
An expiry time for the user in epoch, it will be ignored on platforms that do not support this. Currently supported on GNU/Linux, FreeBSD, and DragonFlyBSD. Since Ansible 2.6 you can remove the expiry time by specifying a negative value. Currently supported on GNU/Linux and FreeBSD. Version Added: 1.9 |
|
| force bool |
This only affects O(state=absent), it forces removal of the user and associated directories on supported platforms. The behavior is the same as C(userdel --force), check the man page for C(userdel) on your system for details and support. When used with O(generate_ssh_key=yes) this forces an existing key to be overwritten. |
|
| generate_ssh_key bool |
Whether to generate a SSH key for the user in question. This will B(not) overwrite an existing SSH key unless used with O(force=yes). Version Added: 0.9 |
|
| group str |
Optionally sets the user's primary group (takes a group name). On macOS, this defaults to V(staff). |
|
| groups list / elements=str |
A list of supplementary groups which the user is also a member of. By default, the user is removed from all other groups. Configure O(append) to modify this. When set to an empty string V(''), the user is removed from all groups except the primary group. Before Ansible 2.3, the only input format allowed was a comma separated string. |
|
| hidden bool |
macOS only, optionally hide the user from the login window and system preferences. The default will be V(true) if the O(system) option is used. Version Added: 2.6 |
|
| home path |
Optionally set the user's home directory. | |
| local bool |
Forces the use of "local" command alternatives on platforms that implement it. This is useful in environments that use centralized authentication when you want to manipulate the local users (in other words, it uses C(luseradd) instead of C(useradd)). This will check C(/etc/passwd) for an existing account before invoking commands. If the local account database exists somewhere other than C(/etc/passwd), this setting will not work properly. This requires that the above commands as well as C(/etc/passwd) must exist on the target host, otherwise it will be a fatal error. Version Added: 2.4 |
|
| login_class str |
Optionally sets the user's login class, a feature of most BSD OSs. | |
| move_home bool |
If set to V(true) when used with O(home), attempt to move the user's old home directory to the specified directory if it isn't there already and the old home exists. | |
| name str required |
Name of the user to create, remove or modify. | |
| non_unique bool |
Optionally when used with the C(-u) option, this option allows to change the user ID to a non-unique value. Version Added: 1.1 |
|
| password str |
If provided, set the user's password to the provided encrypted hash (Linux) or plain text password (macOS). B(Linux/Unix/POSIX:) Enter the hashed password as the value. See L(FAQ entry,https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) for details on various ways to generate the hash of a password. To create an account with a locked/disabled password on Linux systems, set this to V('!') or V('*'). To create an account with a locked/disabled password on OpenBSD, set this to V('*************'). B(OS X/macOS:) Enter the cleartext password as the value. Be sure to take relevant security precautions. On macOS, the password specified in the C(password) option will always be set, regardless of whether the user account already exists or not. When the password is passed as an argument, the M(ansible.builtin.user) module will always return changed to C(true) for macOS systems. Since macOS no longer provides access to the hashed passwords directly. |
|
| password_expire_account_disable int |
Number of days after a password expires until the account is disabled. Currently supported on AIX, Linux, NetBSD, OpenBSD. Version Added: 2.18 |
|
| password_expire_max int |
Maximum number of days between password change. Supported on Linux only. Version Added: 2.11 |
|
| password_expire_min int |
Minimum number of days between password change. Supported on Linux only. Version Added: 2.11 |
|
| password_expire_warn int |
Number of days of warning before password expires. Supported on Linux only. Version Added: 2.16 |
|
| password_lock bool |
Lock the password (C(usermod -L), C(usermod -U), C(pw lock)). Implementation differs by platform. This option does not always mean the user cannot login using other methods. This option does not disable the user, only lock the password. This must be set to V(false) in order to unlock a currently locked password. The absence of this parameter will not unlock a password. Currently supported on Linux, FreeBSD, DragonFlyBSD, NetBSD, OpenBSD. Version Added: 2.6 |
|
| profile str |
Sets the profile of the user. Can set multiple profiles using comma separation. To delete all the profiles, use O(profile=''). Currently supported on Illumos/Solaris. Does nothing when used with other platforms. Version Added: 2.8 |
|
| remove bool |
This only affects O(state=absent), it attempts to remove directories associated with the user. The behavior is the same as C(userdel --remove), check the man page for details and support. |
|
| role str |
Sets the role of the user. Can set multiple roles using comma separation. To delete all roles, use O(role=''). Currently supported on Illumos/Solaris. Does nothing when used with other platforms. Version Added: 2.8 |
|
| seuser str |
Optionally sets the C(seuser) type C(user_u) on SELinux enabled systems. Version Added: 2.1 |
|
| shell path |
Optionally set the user's shell. On macOS, before Ansible 2.5, the default shell for non-system users was V(/usr/bin/false). Since Ansible 2.5, the default shell for non-system users on macOS is V(/bin/bash). On other operating systems, the default shell is determined by the underlying tool invoked by this module. See Notes for a per platform list of invoked tools. From Ansible 2.18, the type is changed to I(path) from I(str). |
|
| skeleton str |
Optionally set a home skeleton directory. Requires O(create_home) option! Version Added: 2.0 |
|
| ssh_key_bits int |
Optionally specify number of bits in SSH key to create. The default value depends on C(ssh-keygen). Version Added: 0.9 |
|
| ssh_key_comment str |
Default: ansible-generated on $HOSTNAME |
Optionally define the comment for the SSH key. Version Added: 0.9 |
| ssh_key_file path |
Optionally specify the SSH key filename. If this is a relative filename then it will be relative to the user's home directory. This parameter defaults to V(.ssh/id_rsa). Version Added: 0.9 |
|
| ssh_key_passphrase str |
Set a passphrase for the SSH key. If no passphrase is provided, the SSH key will default to having no passphrase. Version Added: 0.9 |
|
| ssh_key_type str |
Default: rsa |
Optionally specify the type of SSH key to generate. Available SSH key types will depend on implementation present on target host. Version Added: 0.9 |
| state str |
Default: present Choices: absent, present |
Whether the account should exist or not, taking action if the state is different from what is stated. See this L(FAQ entry,https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#running-on-macos-as-a-target) for additional requirements when removing users on macOS systems. |
| system bool |
When creating an account O(state=present), setting this to V(true) makes the user a system account. This setting cannot be changed on existing users. |
|
| uid int |
Optionally sets the I(UID) of the user. | |
| uid_max int |
Sets the UID_MAX value for user creation. Overwrites /etc/login.defs default value. Currently supported on Linux. Does nothing when used with other platforms. Requires O(local) is omitted or V(False). Version Added: 2.18 |
|
| uid_min int |
Sets the UID_MIN value for user creation. Overwrites /etc/login.defs default value. Currently supported on Linux. Does nothing when used with other platforms. Requires O(local) is omitted or V(False). Version Added: 2.18 |
|
| umask str |
Sets the umask of the user. Currently supported on Linux. Does nothing when used with other platforms. Requires O(local) is omitted or V(false). Version Added: 2.12 |
|
| update_password str |
Default: always Choices: always, on_create |
V(always) will update passwords if they differ. V(on_create) will only set the password for newly created users. Version Added: 1.3 |
Notes¶
Note
- There are specific requirements per platform on user management utilities. However they generally come pre-installed with the system and Ansible will require they are present at runtime. If they are not, a descriptive error message will be shown.
- On SunOS platforms, the shadow file is backed up automatically since this module edits it directly. On other platforms, the shadow file is backed up by the underlying tools used by this module.
- On macOS, this module uses C(dscl) to create, modify, and delete accounts. C(dseditgroup) is used to modify group membership. Accounts are hidden from the login window by modifying C(/Library/Preferences/com.apple.loginwindow.plist).
- On FreeBSD, this module uses C(pw useradd) and C(chpass) to create, C(pw usermod) and C(chpass) to modify, C(pw userdel) remove, C(pw lock) to lock, and C(pw unlock) to unlock accounts.
- On all other platforms, this module uses C(useradd) to create, C(usermod) to modify, and C(userdel) to remove accounts.
Examples¶
- name: Add the user 'johnd' with a specific uid and a primary group of 'admin'
ansible.builtin.user:
name: johnd
comment: John Doe
uid: 1040
group: admin
- name: Create a user 'johnd' with a home directory
ansible.builtin.user:
name: johnd
create_home: yes
- name: Add the user 'james' with a bash shell, appending the group 'admins' and 'developers' to the user's groups
ansible.builtin.user:
name: james
shell: /bin/bash
groups: admins,developers
append: yes
- name: Remove the user 'johnd'
ansible.builtin.user:
name: johnd
state: absent
remove: yes
- name: Create a 2048-bit SSH key for user jsmith in ~jsmith/.ssh/id_rsa
ansible.builtin.user:
name: jsmith
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
- name: Added a consultant whose account you want to expire
ansible.builtin.user:
name: james18
shell: /bin/zsh
groups: developers
expires: 1422403387
- name: Starting at Ansible 2.6, modify user, remove expiry time
ansible.builtin.user:
name: james18
expires: -1
- name: Set maximum expiration date for password
ansible.builtin.user:
name: ram19
password_expire_max: 10
- name: Set minimum expiration date for password
ansible.builtin.user:
name: pushkar15
password_expire_min: 5
- name: Set number of warning days for password expiration
ansible.builtin.user:
name: jane157
password_expire_warn: 30
- name: Set number of days after password expires until account is disabled
ansible.builtin.user:
name: jimholden2016
password_expire_account_disable: 15
Return Values¶
| Key | Data Type | Description | Returned |
|---|---|---|---|
| append | bool | Whether or not to append the user to groups. | When O(state) is V(present) and the user exists |
| comment | str | Comment section from passwd file, usually the user name. | When user exists |
| create_home | bool | Whether or not to create the home directory. | When user does not exist and not check mode |
| force | bool | Whether or not a user account was forcibly deleted. | When O(state) is V(absent) and user exists |
| group | int | Primary user group ID | When user exists |
| groups | str | List of groups of which the user is a member. | When O(groups) is not empty and O(state) is V(present) |
| home | str | Path to user's home directory. | When O(state) is V(present) |
| move_home | bool | Whether or not to move an existing home directory. | When O(state) is V(present) and user exists |
| name | str | User account name. | always |
| password | str | Masked value of the password. | When O(state) is V(present) and O(password) is not empty |
| remove | bool | Whether or not to remove the user account. | When O(state) is V(absent) and user exists |
| shell | str | User login shell. | When O(state) is V(present) |
| ssh_fingerprint | str | Fingerprint of generated SSH key. | When O(generate_ssh_key) is V(True) |
| ssh_key_file | str | Path to generated SSH private key file. | When O(generate_ssh_key) is V(True) |
| ssh_public_key | str | Generated SSH public key file. | When O(generate_ssh_key) is V(True) |
| stderr | str | Standard error from running commands. | When stderr is returned by a command that is run |
| stdout | str | Standard output from running commands. | When standard output is returned by the command that is run |
| system | bool | Whether or not the account is a system account. | When O(system) is passed to the module and the account does not exist |
| uid | int | User ID of the user account. | When O(uid) is passed to the module |
Authors¶
- Stephen Fromm (@sfromm)