Skip to Content

2 Ways to change user password with Ansible

In this blog post, we will discuss two ways to change user passwords with Ansible. The first method is a simple command that can be used to change passwords for a single user.

The second method is a more complex playbook that can be used to change the passwords for multiple users at once. We will also discuss some of the benefits of using Ansible for password management tasks.

understanding user module in Ansible

The user module is one of the most basic modules in Ansible. It allows you to manage users and groups on your system. You can use the user module to create new users, delete users, change passwords, and more.

This module is part of ansible-core and included in all Ansible installations. In most cases, you can use the short module name user even without specifying the collections: keyword.

The full name is ansible.builtin.user, which means that is part of the collection of modules “builtin” with Ansible and shipped with it. It’s a module pretty stable and out for years, it manages user accounts.

User module Parameters in Ansible

  • name string – username
  • state string – present/absent
  • password string – Linux encrypted, macOS cleartext

 

This module has many parameters to perform any task. We listed all the required parameters here. Name is the username. In the parameter “state” we need to specify “present” options, obviously, we can’t change a password of a non-existent account.

The most important parameter is “password” which allows you to specify the new password. For macOS target, the password is in cleartext. For the Linux target, the “password” must be encrypted before.

We could use the “passhword_hash” filter to generate a password. Please note that you could specify the encryption algorithm as well as the salt to make your password more robust.

Since Ansible does not allow us to pass a cleartext password through the User module, we’ll need to install passlib module to leverage on a password hashing library in Python.

pip install passlib

Using command line to change user password with Ansible

if you prefer to run it only one time from the command line directly, here’s the command:


ansible -i inventory all -m user -a "name=admin update_password=always password={{ newpassword|password_hash('sha512') }}" -b --extra-vars "newpassword=Nihao"

This command will change the password of the admin user to Nihao on all the servers.

  • -i, –inventory, –inventory-file: specify inventory host path or comma separated host list.
  • -m <MODULE_NAME>, –module-name <MODULE_NAME>: module name to execute (default=command)
  • -a <MODULE_ARGS>, –args <MODULE_ARGS> : module arguments
  • -e, –extra-vars :set additional variables as key=value or YAML/JSON

 

Using playbook to change user password with Ansible

Playbooks are more complex than the simple command, but they offer some benefits. For example, playbooks can be used to change the passwords for multiple users at once. Playbooks can also be used to automate the process of changing passwords on a regular basis.

- hosts: all
become: yes
tasks:
- name: Change user password
user:
name: admin
update_password: always
password: "{{ newpassword|password_hash('sha512') }}"

To run this playbook, run the command as below. This will input the newpassword variable that will be used by our playbook.

ansible-playbook -i inventory change-password.yml --extra-vars newpassword=Nihao

We can also the following example to change the user password in Ansible playbook.

- name: user module demo
hosts: all
become: true
vars:
user: "example"
password: "password"
tasks:
- name: change password
ansible.builtin.user:
name: "{{ user }}"
state: present
password: "{{ password | password_hash('sha512') }}"

ansible-playbook -i inventory change-password.yml

There are many benefits to using Ansible for password management tasks. Ansible is a simple, powerful, and easy-to-use tool that can help you automate complex tasks like changing user passwords. Ansible is also free and open source software. This means that you can use it for any purpose, including changing passwords on a regular basis.

Thanks for reading! We hope this blog post has been helpful.