How to Change a User Password with Ansible

Welcome to another episode of Ansible Pilot! I’m Luca Berton, and in today’s session, we’ll explore how to change a user password using Ansible. The Ansible module we’ll be focusing on is ansible.builtin.user, a stable and well-established module that comes bundled with Ansible. It’s designed to manage user accounts on various Linux distributions, SunOS, macOS, and FreeBSD.

Understanding the Ansible user Module

The ansible.builtin.user module falls under the “builtin” collection of Ansible modules, indicating its integral nature within the Ansible framework. This module has been around for years and proves reliable in handling user accounts across a wide range of operating systems. For Windows environments, the equivalent module is ansible.windows.win_user.

Key Parameters

The user module offers a plethora of parameters to cater to various user management tasks. Here are some key parameters:

  • name (string): Specifies the username.
  • state (string): Indicates whether the user should be present or absent.
  • password (string): For Linux, the password must be encrypted; for macOS, it can be in cleartext.

The only mandatory parameter is “name” since it denotes the username. The “state” parameter is crucial and should be set to “present” when changing the password, as it ensures the account exists. The most significant parameter is “password,” allowing you to set the new password. For macOS, the password is in cleartext, while for Linux, it must be encrypted. The password_hash filter can be used to generate an encrypted password. Optionally, you can specify the encryption algorithm and salt to enhance password security.

Live Demo: Changing a User Password in Linux

Let’s dive into a practical Ansible playbook to Playbooknstrate changing a user account password in a Linux environment.

Ansible Playbook Code

  • change_password.yml
---
- name: user module Playbook
  hosts: all
  become: true
  vars:
    myuser: "example"
    mypassword: "password"
  tasks:
    - name: change password
      ansible.builtin.user:
        name: "{{ myuser }}"
        state: present
        password: "{{ mypassword | password_hash('sha512') }}"

Playbook Execution Output

$ ansible-playbook -i Playbook/inventory change\ user\ password/user.yaml
PLAY [user module Playbook] ***************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [change password] ****************************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Verification

$ sshpass -p 'password' [email protected]

Note: Ensure that the sshpass utility is installed on the system.

Conclusion

Congratulations! You’ve successfully learned how to change a user password using Ansible. The ansible.builtin.user module provides a robust and versatile solution for managing user accounts. Feel free to customize the playbook to suit your environment and security requirements. Happy automating!

Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my Udemy 300+ Lessons Video Course.

BUY the Complete Udemy 300+ Lessons Video Course

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 250+ Ansible code

Want to keep this project going? Please donate

Patreon Buy me a Pizza