| aliases | category | classification | date | date_modified | draft | id | image | links | local_archive_links | pinned | series | tags | title | type | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ansible |
public |
2021-02-05 06:19:32 -0800 |
2024-09-23 15:04:44 -0700 |
false |
20210205141932 |
|
false |
false |
|
Generate Crypted Passwords for the Ansible User Module |
tech-note |
The user module can be used to create user accounts and set passwords.
How to use the user module to set passwords for Linux accounts? This is something that took me a while to figure out. Luckily, there is a reference to Ansible FAQ in ansible-doc.
The answer is taken from Ansible FAQ. To get a sha512 password hash with random salt, we can use the following:
{{ 'password' | password_hash('sha512') }}Let us store the plaintext password in Ansible vault:
$ ansible-vault view my_vault.yml
Vault password:
my_password: myPlaintextPasswordOur playbook that uses the vault file my_vault.yml will look something like this:
---
- name: Create New Users
hosts: all
become: true
gather_facts: false
vars_files:
- my_vault.yml
tasks:
- name: Create Users
user:
name: "{{ item }}"
password: "{{ my_password | password_hash('sha512') }}"
shell: /bin/bash
loop:
- alice
- vincentNote that while the playbook does the job, it’s not idempotent. The password hash will be generated every time the playbook is run, and the /etc/shadow file will be updated.
To make the playbook idempotent, set update_password: on_create. This will only set the password for newly created users.
---
- name: Create New Users
hosts: all
become: true
gather_facts: false
vars_files:
- my_vault.yml
tasks:
- name: Create Users
user:
name: "{{ item }}"
password: "{{ my_password | password_hash('sha512') }}"
shell: /bin/bash
update_password: on_create
loop:
- alice
- vincent