AnsiblePilot — Master Ansible Automation
AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.
Popular Topics
About Luca Berton
Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.
Ansible Password Expiration: Manage User Account Aging & Policies — Video Tutorial
How to manage password expiration with Ansible user module. Set expiry dates, maximum age, warning periods, and enforce password rotation policies.
What You'll Learn
- How to set user password expiration time on Linux with Ansible?
- Ansible user password expiration
- Linux password aging policy
- Parameters
- code
- execution
- before execution
- after execution
- Conclusion
- Set Password Expiry
Full Tutorial Content
How to set user password expiration time on Linux with Ansible?
I'm going to show you a live Playbook with some simple Ansible code.
I'm Luca Berton and welcome to today's episode of Ansible Pilot.
Ansible user password expiration
- ansible.builtin.user
- Manage user accounts
Today we're talking about the Ansible module `user`.
The full name is ansible.builtin.user, which means that is part of the collection of modules "builtin" with ansible and shipped with it.
It's a module pretty stable and out for years, it manages user accounts and supports a huge variety of Linux distributions.
For Windows, use the `ansible.windows.win_user` module instead.
Linux password aging policy
This schema represents the Linux password aging policy.
Let me highlight that the Ansible native module `user` is able to set only the min days `-m` and max days `-M` parameter.
Max days set password policy for requesting password should be renewed, for example in every 90 days.
Min days set the minimum days should be waiting for changing the password again, for example after 7 days from the last change.
To disable password aging specify the value of 99999.
For the other parameters, you need to rely on the `chage` command-line utility or via the Ansible `shell` module.
Parameters
- name string - username
- password_expire_min integer - Linux min days validity (-m)
- password_expire_max integer - Linux max days validity (-M)
This module has many parameters to perform any task.
The only required is "name", which is the username.
In the `password_expire_min` parameter you specify the value of the min days validity.
In the `password_expire_max` parameter you specify the value of the max days' validity.
Please note that these parameters are **Linux only**.
## Playbook
Set user password expiration time with Ansible Playbook.
Pleasee note: [user module password_expiry_min bug and workaround](/articles/ansible-troubleshooting-user-module-bug).
code
- user_expiration.yml
```yaml
---
- name: user module Playbook
hosts: all
become: true
vars:
myuser: "example"
tasks:
- name: password expiration
ansible.builtin.user:
name: "{{ myuser }}"
password_expire_min: 7
password_expire_max: 90
```
execution
```bash
$ ansible-playbook -i Playbook/inventory user\ expiration/user.yml
PLAY [user module Playbook] **********************************************************************************
TASK [Gathering Facts] ***********************************************************************************
ok: [demo.example.com]
TASK [password expiration] *******************************************************************************
changed: [demo.example.com]
PLAY RECAP ***********************************************************************************************
demo.example.com : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ig
About This Tutorial
- Author: Luca Berton
- Difficulty: Beginner
- Read time: 9 min
- Category: installation
Read the full written article: Ansible Password Expiration: Manage User Account Aging & Policies
Related Video Tutorials
- Ansible Create User Account: user Module Complete Guide — How to create user accounts with Ansible user module. Set passwords, SSH keys, groups, shells, home directories, and manage users with examples.
- Ansible group Module: Create & Manage Linux Groups (ansible.builtin.group) — How to create and manage Linux groups with Ansible group module (ansible.builtin.group). Add groups, set GID, manage system groups.
- Ansible Manage Groups: Create, Delete & Modify with group Module — How to manage Linux groups with Ansible group module. Create groups, delete groups, set GIDs, manage system groups, and assign users to groups.
- Add Secondary Groups to Linux Users with Ansible Playbook — Learn how to add secondary groups to Linux users with an Ansible playbook. This step-by-step guide includes YAML configuration and execution details.
- Change the User Primary Group on Linux with Ansible — Learn how to use Ansible to change a user's primary group on Linux systems with the user module.
- ansible.builtin.user: Change User Password with Ansible (Secure Guide) — How to change user passwords with Ansible user module. Hash passwords securely, use Vault for credentials, manage password rotation across servers.