user – Manage user accounts¶
Synopsis¶
- Manage user accounts and user attributes.
- For Windows targets, use the win_user module instead.
Parameters¶
| Parameter | Choices/Defaults | Comments | 
|---|---|---|
| append 
                    boolean
                                                                 | 
 | If  yes, add the user to the groups specified ingroups.If  no, user will only be added to the groups specified ingroups, removing them from all other groups.Mutually exclusive with  local | 
| authorization 
                    string
                                                                 added in 2.8 | Sets the authorization of the user. Does nothing when used with other platforms. Can set multiple authorizations using comma separation. To delete all authorizations, use  authorization=''.Currently supported on Illumos/Solaris. | |
| comment 
                    string
                                                                 | Optionally sets the description (aka GECOS) of user account. | |
| create_home 
                    boolean
                                                                 | 
 | Unless set to  no, a home directory will be made for the user when the account is created or if the home directory does not exist.Changed from  createhometocreate_homein Ansible 2.5.aliases: createhome | 
| expires 
                    float
                                                                 | An expiry time for the user in epoch, it will be ignored on platforms that do not support this. Currently supported on GNU/Linux, FreeBSD, and DragonFlyBSD. Since Ansible 2.6 you can remove the expiry time specify a negative value. Currently supported on GNU/Linux and FreeBSD. | |
| force 
                    boolean
                                                                 | 
 | This only affects  state=absent, it forces removal of the user and associated directories on supported platforms.The behavior is the same as  userdel --force, check the man page foruserdelon your system for details and support.When used with  generate_ssh_key=yesthis forces an existing key to be overwritten. | 
| generate_ssh_key 
                    boolean
                                                                 | 
 | Whether to generate a SSH key for the user in question. This will not overwrite an existing SSH key unless used with  force=yes. | 
| group 
                    string
                                                                 | Optionally sets the user's primary group (takes a group name). | |
| groups 
                    list
                                                                 | List of groups user will be added to. When set to an empty string  '', the user is removed from all groups except the primary group.Before Ansible 2.3, the only input format allowed was a comma separated string. Mutually exclusive with  local | |
| hidden 
                    boolean
                                                                 added in 2.6 | 
 | macOS only, optionally hide the user from the login window and system preferences. The default will be  yesif the system option is used. | 
| home 
                    path
                                                                 | Optionally set the user's home directory. | |
| local 
                    boolean
                                                                 added in 2.4 | 
 | Forces the use of "local" command alternatives on platforms that implement it. This is useful in environments that use centralized authentification when you want to manipulate the local users (i.e. it uses  luseraddinstead ofuseradd).This will check  /etc/passwdfor an existing account before invoking commands. If the local account database exists somewhere other than/etc/passwd, this setting will not work properly.This requires that the above commands as well as  /etc/passwdmust exist on the target host, otherwise it will be a fatal error.Mutually exclusive with  groupsandappend | 
| login_class 
                    string
                                                                 | Optionally sets the user's login class, a feature of most BSD OSs. | |
| move_home 
                    boolean
                                                                 | 
 | If set to  yeswhen used withhome: , attempt to move the user's old home directory to the specified directory if it isn't there already and the old home exists. | 
| name 
                    string
                                             / required                     | Name of the user to create, remove or modify. aliases: user | |
| non_unique 
                    boolean
                                                                 | 
 | Optionally when used with the -u option, this option allows to change the user ID to a non-unique value. | 
| password 
                    string
                                                                 | Optionally set the user's password to this crypted value. On macOS systems, this value has to be cleartext. Beware of security issues. To create a disabled account on Linux systems, set this to  '!'or'*'.To create a disabled account on OpenBSD, set this to  '*************'.See https://docs.ansible.com/ansible/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module for details on various ways to generate these password values. | |
| password_lock 
                    boolean
                                                                 added in 2.6 | 
 | Lock the password (usermod -L, pw lock, usermod -C). BUT implementation differs on different platforms, this option does not always mean the user cannot login via other methods. This option does not disable the user, only lock the password. Do not change the password in the same task. Currently supported on Linux, FreeBSD, DragonFlyBSD, NetBSD, OpenBSD. | 
| profile 
                    string
                                                                 added in 2.8 | Sets the profile of the user. Does nothing when used with other platforms. Can set multiple profiles using comma separation. To delete all the profiles, use  profile=''.Currently supported on Illumos/Solaris. | |
| remove 
                    boolean
                                                                 | 
 | This only affects  state=absent, it attempts to remove directories associated with the user.The behavior is the same as  userdel --remove, check the man page for details and support. | 
| role 
                    string
                                                                 added in 2.8 | Sets the role of the user. Does nothing when used with other platforms. Can set multiple roles using comma separation. To delete all roles, use  role=''.Currently supported on Illumos/Solaris. | |
| seuser 
                    string
                                                                 | Optionally sets the seuser type (user_u) on selinux enabled systems. | |
| shell 
                    string
                                                                 | Optionally set the user's shell. On macOS, before Ansible 2.5, the default shell for non-system users was  /usr/bin/false. Since Ansible 2.5, the default shell for non-system users on macOS is/bin/bash.On other operating systems, the default shell is determined by the underlying tool being used. See Notes for details. | |
| skeleton 
                    string
                                                                 | Optionally set a home skeleton directory. Requires  create_homeoption! | |
| ssh_key_bits 
                    integer
                                                                 | Default: "default set by ssh-keygen" | Optionally specify number of bits in SSH key to create. | 
| ssh_key_comment 
                    string
                                                                 | Default: "ansible-generated on $HOSTNAME" | Optionally define the comment for the SSH key. | 
| ssh_key_file 
                    path
                                                                 | Optionally specify the SSH key filename. If this is a relative filename then it will be relative to the user's home directory. This parameter defaults to .ssh/id_rsa. | |
| ssh_key_passphrase 
                    string
                                                                 | Set a passphrase for the SSH key. If no passphrase is provided, the SSH key will default to having no passphrase. | |
| ssh_key_type 
                    string
                                                                 | Default: "rsa" | Optionally specify the type of SSH key to generate. Available SSH key types will depend on implementation present on target host. | 
| state 
                    string
                                                                 | 
 | Whether the account should exist or not, taking action if the state is different from what is stated. | 
| system 
                    boolean
                                                                 | 
 | When creating an account  state=present, setting this toyesmakes the user a system account.This setting cannot be changed on existing users. | 
| uid 
                    integer
                                                                 | Optionally sets the UID of the user. | |
| update_password 
                    string
                                                                 | 
 | alwayswill update passwords if they differ.on_createwill only set the password for newly created users. | 
Notes¶
Note
- There are specific requirements per platform on user management utilities. However they generally come pre-installed with the system and Ansible will require they are present at runtime. If they are not, a descriptive error message will be shown.
- On SunOS platforms, the shadow file is backed up automatically since this module edits it directly. On other platforms, the shadow file is backed up by the underlying tools used by this module.
- On macOS, this module uses dsclto create, modify, and delete accounts.dseditgroupis used to modify group membership. Accounts are hidden from the login window by modifying/Library/Preferences/com.apple.loginwindow.plist.
- On FreeBSD, this module uses pw useraddandchpassto create,pw usermodandchpassto modify,pw userdelremove,pw lockto lock, andpw unlockto unlock accounts.
- On all other platforms, this module uses useraddto create,usermodto modify, anduserdelto remove accounts.
See Also¶
See also
- authorized_key – Adds or removes an SSH authorized key
- The official documentation on the authorized_key module.
- group – Add or remove groups
- The official documentation on the group module.
- win_user – Manages local Windows user accounts
- The official documentation on the win_user module.
Examples¶
- name: Add the user 'johnd' with a specific uid and a primary group of 'admin'
  user:
    name: johnd
    comment: John Doe
    uid: 1040
    group: admin
- name: Add the user 'james' with a bash shell, appending the group 'admins' and 'developers' to the user's groups
  user:
    name: james
    shell: /bin/bash
    groups: admins,developers
    append: yes
- name: Remove the user 'johnd'
  user:
    name: johnd
    state: absent
    remove: yes
- name: Create a 2048-bit SSH key for user jsmith in ~jsmith/.ssh/id_rsa
  user:
    name: jsmith
    generate_ssh_key: yes
    ssh_key_bits: 2048
    ssh_key_file: .ssh/id_rsa
- name: Added a consultant whose account you want to expire
  user:
    name: james18
    shell: /bin/zsh
    groups: developers
    expires: 1422403387
- name: Starting at Ansible 2.6, modify user, remove expiry time
  user:
    name: james18
    expires: -1
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Status¶
- This module is guaranteed to have backward compatible interface changes going forward. [stableinterface]
- This module is maintained by the Ansible Core Team. [core]
Red Hat Support¶
More information about Red Hat’s support of this module is available from this Red Hat Knowledge Base article.
Authors¶
- Stephen Fromm (@sfromm)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
