How to provision multiple user accounts on multiple servers using Ansible

The User Module

The Ansible user module lets you manage user accounts on a remote host. You can manage a number of parameters including remove user, set home directory, set the UID for system accounts, manage passwords and associated groupings. To create a user that can log into the machine, you need to provide a hashed password for the password parameter.

Example of the User Module

- name: Add new user to the development machine and assign the appropriate groups.
    name: devops_user
    shell: /bin/bash
    groups: sys_admins, developers
    append: yes

Here, 1. The name parameter is the only requirement in the user module and is usually the service account or user account. 2. The shell parameter optionally sets the user’s shell. On other operating systems, the default shell is decided by the tool being used. 3. The groups parameter along with the append parameter tells the machine that we want to append the groups sys_asmins and developers with this user. If you do not use the append parameter then the groups will overwrite in place.

When creating a user you can specify it to generate_ssh_key. This will not overwrite an existing SSH key.

Example of User Module Generating an ssh key

- name: Create a SSH key for user1
    name: user1
    generate_ssh_key: yes
    ssh_key_bits: 2048
    ssh_key_file: .ssh/id_my_rsa

Some commonly used parameters

comment Optionally sets the description of a user account.
group Optionally sets the user’s primary group.
groups List of multiple groups. When set to a null value, all groups except the primary group is removed.
home Optionally sets the user’s home directory.
create_home Takes a boolean value of yes or no. A home directory will be created for the user if the value is set to yes.
system When creating an account state=present, setting this to yes makes the user a system account. This setting cannot be changed on existing users.
uid Sets the UID od user.

The Group Module

The group module allows you to manage (add, delete, modify) groups on the managed hosts. You need to have groupadd, groupdel or groupmod. For windows targets, use the win_group module.

Example of the group module

- name: Verify that auditors group exists
    name: auditors
    state: present

Parameters for the group module

gid Optional GID to set for the group.
local Forces the use of “local” command alternatives on platforms that implement it.
name Name of the group to manage.
state Whether the group should be present or not on the remote host.
system If set to yes, indicates that the group created is a system group.

The know_host Module

If you have a large number of host keys to manage you will want to use the known_hosts module. The known_hosts module lets you add or remove host keys from the known_hosts file on managed host.

Example of known_host Tasks

- name: copy host keys to remote servers
    path: /etc/ssh/ssh_known_hosts
    name: user1
    key: "{{ lookup('file', 'pubkeys/user1') }}"

A lookup plugin allows Ansible to access data from outside sources.

The authorized_key Module

The authorized_key module allows you to add or remove SSH authorized keys per user accounts. When adding and subtracting users to a large bank of servers, you need to be able to manage ssh keys.

Example of authorized_key Tasks

- name: Set authorized key
    user: user1
    state: present
    key: "{{ lookup('file', '/home/user1/.ssh/') }}

A key can also be taken from a url: