Ansible :: Create Users, Set Password, SSH Keys & more

In this blog, let us go through step by step instructions provided to create multiple users, set password for individual users, create SSH keys and user must change password during the next logon. I’m writing this blog as I could not find example for end to end automation for this simple use case as on the day of writing this blog 🙂

Below are the list of required files and its content.

ansible.cfg

[defaults]
inventory=inventory
remote_user=admin
ask_pass=False
ansible_python_interpreter=/usr/bin/python3.6
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False

inventory

[worker_nodes]
localbox1
localbox2
localbox3

add_users.yml

---
- name: Create New Users
  hosts: all
  become: true
  gather_facts: false
  vars_files:
    - users_pass.yml
    - usernames.yml
  tasks:
    - name: Create Users, Home Directory and add to groups 
      user:
        name: "{{ item }}"
        password: "{{ user_pass | password_hash('sha512', user_salt) }}"
        shell: /bin/bash
        system: no
        state: present
        createhome: yes
        groups: 
        append: yes
        home: "/home/{{ item }}"
        generate_ssh_key: yes
        ssh_key_bits: 2048
        ssh_key_file: .ssh/id_rsa
        update_password: on_create
      with_items:
        - "{{ names }}"
      register: user_status

    - name:
      shell: chage -d 0 "{{ item }}"
      with_items:
        - "{{ names }}"
      when: user_status.changed

usernames.yml

names:
  - "alpha"
  - "beta"
  - "cuda"

users_pass.yml {Ansible Vault Encrypted}

$ANSIBLE_VAULT;1.1;AES256
61343830346137346265383361303764343134386663353637633131326336623331633533383166
6232363536343564323435623664343233653464346334370a656330346330316535373231326137
65626233666539646237303663663862633037383835646434386434653831306334313135633764
3865383365373133310a326530343039303762343161383835306539303833653937366339356239
36333839646666626537613134313662336535316466393261633236653136303436616532383231
6666323833316161343963353436343865643433636235646431

Follow the below steps to create users, passwords, home directory and SSH keys.

  1. Install Ansible and add managed nodes
  2. Create a directory called “playbooks”
  3. Create all above files and place it in playbooks except user_pass.yml
  4. Create encrypted user_pass.yml to store user password
    1. Enter a password common for all users in one line and save as user_pass.yml
    2. Run ansible-vault create user_pass.yml command and enter vault password
    3. To edit the file in future use ansible-vault edit user_pass.yml and provide the vault password
    4. To view the file use ansible-vault viewwuser_pass.yml and provide the vault password
  5. Run ansible-playbook add_users.yml –syntax-check –ask-vault-pass and enter vault password to check the playbook syntax(If any errors let me know in comments section)
  6. Run ansible-playbook add_users.yml –ask-vault-pass and enter vault password to execute the playbook on managed nodes
    • Save vault password to a hidden file and replace –ask-vault-pass with –vault-password-file .vault_pass.key. Make sure proper access rights set to secure the vault password file
  7. Test by logging in to the managed nodes using the new user accounts. It will prompt to change the password after the logon.

Hope you’ve followed all the steps and able to create multiple users using ansible automation.

If you enjoyed this post, I’d be very grateful if you’d help it spread by emailing it to a friend, or sharing it on Twitter or Facebook. Thank you!

What am I missing here? Let me know in the comments and I’ll add it in!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s