Documentation

user - Manage user accounts

Synopsis

  • Manage user accounts and user attributes.
  • For Windows targets, use the win_user module instead.

Parameters

Parameter Choices/Defaults Comments
append
    Choices:
  • no ←
  • yes
If yes, add the user to the groups specified in groups.
If no, user will only be added to the groups specified in groups, removing them from all other groups.
comment
Optionally sets the description (aka GECOS) of user account.
create_home
    Choices:
  • no
  • yes ←
Unless set to no, a home directory will be made for the user when the account is created or if the home directory does not exist.
Changed from createhome to create_home in version 2.5.

aliases: createhome
expires
(added in 1.9)
An expiry time for the user in epoch, it will be ignored on platforms that do not support this. Currently supported on Linux, FreeBSD, and DragonFlyBSD.
force
    Choices:
  • no ←
  • yes
When used with state=absent, behavior is as with userdel --force.
generate_ssh_key
    Choices:
  • no ←
  • yes
Whether to generate a SSH key for the user in question. This will not overwrite an existing SSH key.
group
Optionally sets the user's primary group (takes a group name).
groups
List of groups user will be added to. When set to an empty string '', null, or ~, the user is removed from all groups except the primary group. (~ means null in YAML)
Before version 2.3, the only input format allowed was a comma separated string. Now this parameter accepts a list as well as a comma separated string.
home
Optionally set the user's home directory.
local
(added in 2.4)
    Choices:
  • no ←
  • yes
Forces the use of "local" command alternatives on platforms that implement it. This is useful in environments that use centralized authentification when you want to manipulate the local users. I.E. it uses `luseradd` instead of `useradd`.
This requires that these commands exist on the targeted host, otherwise it will be a fatal error.
login_class
Optionally sets the user's login class for FreeBSD, DragonFlyBSD, OpenBSD and NetBSD systems.
move_home
    Choices:
  • no ←
  • yes
If set to yes when used with home=, attempt to move the user's home directory to the specified directory if it isn't there already.
name
required
Name of the user to create, remove or modify.

aliases: user
non_unique
    Choices:
  • no ←
  • yes
Optionally when used with the -u option, this option allows to change the user ID to a non-unique value.
password
Optionally set the user's password to this crypted value.
On Darwin/OS X systems, this value has to be cleartext. Beware of security issues.
See http://docs.ansible.com/ansible/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module for details on various ways to generate these password values.
remove
    Choices:
  • no ←
  • yes
When used with state=absent, behavior is as with userdel --remove.
seuser
(added in 2.1)
Optionally sets the seuser type (user_u) on selinux enabled systems.
shell
Optionally set the user's shell.
On Mac OS X, before version 2.5, the default shell for non-system users was /usr/bin/false. Since 2.5, the default shell for non-system users on Mac OS X is /bin/bash.
skeleton
(added in 2.0)
Optionally set a home skeleton directory. Requires create_home option!
ssh_key_bits Default:
default set by ssh-keygen
Optionally specify number of bits in SSH key to create.
ssh_key_comment Default:
ansible-generated on $HOSTNAME
Optionally define the comment for the SSH key.
ssh_key_file Default:
.ssh/id_rsa
Optionally specify the SSH key filename. If this is a relative filename then it will be relative to the user's home directory.
ssh_key_passphrase
Set a passphrase for the SSH key. If no passphrase is provided, the SSH key will default to having no passphrase.
ssh_key_type Default:
rsa
Optionally specify the type of SSH key to generate. Available SSH key types will depend on implementation present on target host.
state
    Choices:
  • absent
  • present ←
Whether the account should exist or not, taking action if the state is different from what is stated.
system
    Choices:
  • no ←
  • yes
When creating an account, setting this to yes makes the user a system account. This setting cannot be changed on existing users.
uid
Optionally sets the UID of the user.
update_password
(added in 1.3)
    Choices:
  • always ←
  • on_create
always will update passwords if they differ. on_create will only set the password for newly created users.

Notes

Note

  • There are specific requirements per platform on user management utilities. However they generally come pre-installed with the system and Ansible will require they are present at runtime. If they are not, a descriptive error message will be shown.
  • For Windows targets, use the win_user module instead.

Examples

- name: Add the user 'johnd' with a specific uid and a primary group of 'admin'
  user:
    name: johnd
    comment: John Doe
    uid: 1040
    group: admin

- name: Add the user 'james' with a bash shell, appending the group 'admins' and 'developers' to the user's groups
  user:
    name: james
    shell: /bin/bash
    groups: admins,developers
    append: yes

- name: Remove the user 'johnd'
  user:
    name: johnd
    state: absent
    remove: yes

- name: Create a 2048-bit SSH key for user jsmith in ~jsmith/.ssh/id_rsa
  user:
    name: jsmith
    generate_ssh_key: yes
    ssh_key_bits: 2048
    ssh_key_file: .ssh/id_rsa

- name: Added a consultant whose account you want to expire
  user:
    name: james18
    shell: /bin/zsh
    groups: developers
    expires: 1422403387

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
append
bool
When state is 'present' and the user exists
Whether or not to append the user to groups

Sample:
True
comment
string
When user exists
Comment section from passwd file, usually the user name

Sample:
Agent Smith
create_home
bool
When user does not exist and not check mode
Whether or not to create the home directory

Sample:
True
force
bool
When state is 'absent' and user exists
Whether or not a user account was forcibly deleted

group
int
When user exists
Primary user group ID

Sample:
1001
groups
string
When groups is not empty and state is 'present'
List of groups of which the user is a member

Sample:
chrony,apache
home
string
When state is 'present'
Path to user's home directory

Sample:
/home/asmith
move_home
bool
When state is 'present' and user exists
Whether or not to move an existing home directory

name
string
always
User account name

Sample:
asmith
password
string
When state is 'present' and password is not empty
Masked value of the password

Sample:
NOT_LOGGING_PASSWORD
remove
bool
When state is 'absent' and user exists
Whether or not to remove the user account

Sample:
True
shell
string
When state is 'present'
User login shell

Sample:
/bin/bash
ssh_fingerprint
string
When generate_ssh_key is True
Fingerprint of generated SSH key

Sample:
2048 SHA256:aYNHYcyVm87Igh0IMEDMbvW0QDlRQfE0aJugp684ko8 ansible-generated on host (RSA)
ssh_key_file
string
When generate_ssh_key is True
Path to generated SSH public key file

Sample:
/home/asmith/.ssh/id_rsa
ssh_public_key
string
When generate_ssh_key is True
Generated SSH public key file

Sample:
'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC95opt4SPEC06tOYsJQJIuN23BbLMGmYo8ysVZQc4h2DZE9ugbjWWGS1/pweUGjVstgzMkBEeBCByaEf/RJKNecKRPeGd2Bw9DCj/bn5Z6rGfNENKBmo 618mUJBvdlEgea96QGjOwSB7/gmonduC7gsWDMNcOdSE3wJMTim4lddiBx4RgC9yXsJ6Tkz9BHD73MXPpT5ETnse+A3fw3IGVSjaueVnlUyUmOBf7fzmZbhlFVXf2Zi2rFTXqvbdGHKkzpw1U8eB8xFPP7y d5u1u0e6Acju/8aZ/l17IDFiLke5IzlqIMRTEbDwLNeO84YQKWTm9fODHzhYe0yvxqLiK07 ansible-generated on host'
stderr
string
When stderr is returned by a command that is run
Standard error from running commands

Sample:
Group wheels does not exist
stdout
string
When standard output is returned by the command that is run
Standard output from running commands

system
bool
When system is passed to the module and the account does not exist
Whether or not the account is a system account

Sample:
True
uid
int
When UID is passed to the module
User ID of the user account

Sample:
1044


Status

This module is flagged as stableinterface which means that the maintainers for this module guarantee that no backward incompatible interface changes will be made.

Support

For more information about Red Hat’s support of this module, please refer to this Knowledge Base article

Author

  • Stephen Fromm (@sfromm)

Hint

If you notice any issues in this documentation you can edit this document to improve it.