How to provision multiple user accounts on multiple servers using Ansible
The User Module
The Ansible user module lets you manage user accounts on a remote host. You can manage a number of parameters including remove user, set home directory, set the UID for system accounts, manage passwords and associated groupings. To create a user that can log into the machine, you need to provide a hashed password for the password parameter.
Example of the User Module
- name: Add new user to the development machine and assign the appropriate groups.
user:
name: devops_user
shell: /bin/bash
groups: sys_admins, developers
append: yes
Here, 1. The name parameter is the only requirement in the user module and is usually the service account or user account. 2. The shell parameter optionally sets the user’s shell. On other operating systems, the default shell is decided by the tool being used. 3. The groups parameter along with the append parameter tells the machine that we want to append the groups sys_asmins and developers with this user. If you do not use the append parameter then the groups will overwrite in place.
When creating a user you can specify it to generate_ssh_key. This will not overwrite an existing SSH key.
Example of User Module Generating an ssh key
- name: Create a SSH key for user1
user:
name: user1
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_my_rsa
Some commonly used parameters
| PARAMETER | COMMENTS |
|---|---|
| comment | Optionally sets the description of a user account. |
| group | Optionally sets the user’s primary group. |
| groups | List of multiple groups. When set to a null value, all groups except the primary group is removed. |
| home | Optionally sets the user’s home directory. |
| create_home | Takes a boolean value of yes or no. A home directory will be created for the user if the value is set to yes. |
| system | When creating an account state=present, setting this to yes makes the user a system account. This setting cannot be changed on existing users. |
| uid | Sets the UID od user. |
The Group Module
The group module allows you to manage (add, delete, modify) groups on the managed hosts. You need to have groupadd, groupdel or groupmod. For windows targets, use the win_group module.
Example of the group module
- name: Verify that auditors group exists
group:
name: auditors
state: present
Parameters for the group module
| PARAMETER | COMMENTS |
|---|---|
| gid | Optional GID to set for the group. |
| local | Forces the use of “local” command alternatives on platforms that implement it. |
| name | Name of the group to manage. |
| state | Whether the group should be present or not on the remote host. |
| system | If set to yes, indicates that the group created is a system group. |
The know_host Module
If you have a large number of host keys to manage you will want to use the known_hosts module. The known_hosts module lets you add or remove host keys from the known_hosts file on managed host.
Example of known_host Tasks
- name: copy host keys to remote servers
known_hosts:
path: /etc/ssh/ssh_known_hosts
name: user1
key: "{{ lookup('file', 'pubkeys/user1') }}"
A lookup plugin allows Ansible to access data from outside sources.
The authorized_key Module
The authorized_key module allows you to add or remove SSH authorized keys per user accounts. When adding and subtracting users to a large bank of servers, you need to be able to manage ssh keys.
Example of authorized_key Tasks
- name: Set authorized key
authorized_key:
user: user1
state: present
key: "{{ lookup('file', '/home/user1/.ssh/id_rsa.pub') }}
A key can also be taken from a url: https://github.com/user1.keys.