Managing System Users Using Ansible

By Anish, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

In this article, we will learn how to manage users using Ansible in an Alibaba Cloud environment. We will start by defining the architecture, as shown in the diagram below.

The diagram shows an Ansible controller node managing various nodes using SSH protocol. Extending this diagram, we are going to create playbooks that will manage different users with their sudoers privilege in the target node.

To follow this tutorial, you will need to have Alibaba Cloud Elastic Compute Service (ECS) instances. If you are not sure how to launch an ECS instance in Alibaba Cloud, refer to this documentation.

Setting Up Ansible User

Here is a quick guide of creating and setting up ansible user in controller and target nodes.

Ansible User Setup in Controller Node

Create ansible remote user to manage the installation from Ansible Controller node. This user should have appropriate sudo privileges. An example sudoers entry is given below.

Add user ansible

Switch to ansible user

Generate the SSH-keyPair for ansible user

Copy the file, to the target node Ansible /home/ansible.ssh/home directory

Note down the public key and copy it over onto other machines

Update the /etc/sudoers.d and add the ansible user to manage controller node itself

Ansible User Setup on Target Node

Create user Ansible and create a file named authorized_keys in the .ssh directory and change its file permissions to 600 (only the owner can read or write to the file).

Copy the SSH public key from the ansible_controller node and add it to all the VM which is

Alternatively from the Ansible Controller run the following command for each target node

Update the /etc/sudoers.d and add the ansible user

Operations Perspective

Managing users in the cloud environment such as Alibaba Cloud is often a security and infrastructure requirement. In general, we deal with three sets of users:

  1. sudo users
  2. non-sudoers users
  3. nologin users (system users)

This lab will utilize and illustrates this concept.

sudo accessnon sudo accessnologinuser1User4user7user2User5user3user6

For security hardening, servers running on Alibaba Cloud should only accept password-less logins. Using change management process such as (git), all users will be deployed in their respective nodes through Ansible controller. The users must submit their public key to the controller. For example, user1 has submitted the keys to be rolled out in the listed servers.

Managing System User Using Ansible

In this section, we will discuss how to add and delete Ansible users.

Adding System Users Using Ansible

  1. Create the directory structure in the controller which should looks like this
  • [ansible@controller]$ tree . └── ssh ├── files ├── tasks │ └── main.yml └── vars
  1. Here are some definitions of the items used in the code above:
  2. ssh: is the Role for ansible-playbook
  3. files: In this directory place all the user public key
  4. tasks: The main.yaml file will get executed when this role is run
  5. vars: The user definition will be stored in this directory
  6. Create the file users.yml.
  • [ansible@controller]$ tree . └── ssh ├── files ├── tasks │ └── main.yml └── vars └── users.yml
  1. In users.yml, add the users that require sudo access and those that don’t need sudo access onto the list.
  • [ansible@controller]$ cat ssh/vars/users.yml --- users: - username: user2 use_sudo: yes - username: user4 use_sudo: no - username: user6 use_sudo: no
  1. Now submit the public key of users 2, 4, and 6 in the files directory. The files directory should looks like this:
  • [ansible@controller]$ tree . └── ssh ├── files │ ├── │ ├── │ └── ├── tasks │ └── main.yml └── vars └── users.yml 4 directories, 5 files
  1. Next, define the playbook run under the tasks directory. Edit the file main.yml add the following definition.
  • [ansible@ ~]$ cat ssh/tasks/main.yml --- - include_vars: users.yml - name: Create users with home directory user: name={{ item.username }} shell=/bin/bash createhome=yes comment='Created by Ansible' with_items: '{{users}}' - name: Setup | authorized key upload authorized_key: user={{ item.username }} key="{{ lookup('file', 'files/{{ item.username }}.pub') }}" when: '{{ item.use_sudo }} == True' with_items: '{{users}}' - name: Sudoers | update sudoers file and validate lineinfile: "dest=/etc/sudoers insertafter=EOF line='{{ item.username }} ALL=(ALL) NOPASSWD: ALL' regexp='^{{ item.username }} .*' state=present" when: '{{ item.use_sudo }} == True' with_items: '{{users}}'

Let’s break down the code:

  1. First, all Ansible variables are included.
  2. Using the Ansible user module, create users from the user list (users.yml).
  3. Using the Ansible authorized_key, add the ssh public key to the created user home directory
  4. Finally, upload the sudoers entry file to determine which users should be granted sudoers access.
  5. Run the Playbook.

To run this playbook make sure we have the ansible inventory file set up correctly. Ansible inventory file is group of servers. For this example, I have created an inventory file named hosts and added all the nodes to it, which I need to manage.

The inventory file looks like this:

Next we will create ssh.yml to tell ansible-playbook to use role ssh.

Finally, run the playbook using the inventory hosts.

The ansible-playbook output shows in all the managed nodes respective users with configured sudoers access is pushed.

Removing System Users Using Ansible

In the Alibaba Cloud environment, a user has a specific lifecycle. If the user is no longer required to be present in the system, the user must be deleted, and this should happen proactively. For an example, if user2 needs to deleted, then from the change management process, users.yml files needs to be edited by removing the entry of user2.

Before deleting user2:

After deleting user2:

Now this user needs to be deleted across the Alibaba Cloud environment, which is managed by theAnsible controller. To do this, create a file deleteusers.yml in the vars directory and maintain a set of users that needs to be removed from the target node.

Next, update the main.yml file, which is present in tasks and add the delete instructions using:

Finally, run the playbook using the inventory hosts.

The “delete” task has been executed by this playbook. User2 has been removed from all ansible managed nodes.


That’s the end of this post. In this article, we discussed how to manage users using Ansible, including adding and deleting users. Ansible is great way of automatically securing Alibaba Cloud environment. For more references around the Ansible User module refer to the Ansible Website.


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store