106

How can I add a user to additional groups with Ansible? For example, I would like to add a user to the sudo group without replacing the user's existing set of groups.

Improve this question

3 Answers 3

Reset to default
77

According to the User module you can use this:

- name: Adding user {{ user }} user: name={{ user }} group={{ user }} shell=/bin/bash password=${password} groups=sudo append=yes

You can just add the groups=groupname and append=yes to add them to an existing user when you're creating them

Improve this answer
4
  • 3
    Thanks, the append=yes is indeed what I'm looking for! Commented Oct 26, 2013 at 9:21
  • 2
    There seems to be an issue with this : what if the user already exists and I just want to add or remove them from a group ? I'm not 100% sure but I think that the "group" attribute is considered only when creating the user. Commented Jul 19, 2016 at 15:41
  • 6
    I really have an issue with this being the accepted answer, as the question does not state "create a user and add it to a specific group". If we come from a Google search because of the question's title, we'd most likely want to add an existing user to a group. Commented Aug 27, 2018 at 11:06
  • How to do it when using "local=yes"? Commented Apr 28, 2020 at 13:53
153

If {{ user }} already exists in the system, you should use the following to just add it to a group:

- name: Add existing user '{{ user }}' to group sudo ansible.builtin.user: name: '{{ user }}' groups: sudo append: true

To add it to a set of groups, you can use a comma separated list, for example groups: admin,sudo.

Just beware that if you omit append: true, your user will be removed from all other groups, according to the usermod man page. That would useful if you want to use a specific list of groups a user should belong to.

Improve this answer
4
  • 26
    …and beware not to write group: without the s, as this will change the primary GID. Commented Jun 15, 2017 at 20:01
  • 1
    ... and beware that if the user does not exist it will will be created! Commented Jan 24, 2019 at 14:03
  • @EM0 Yes, the user module is supposed to create users if they don't exist, however, the user should review his code if he is trying to modify users that are not even supposed to exist. Commented Jan 24, 2019 at 16:48
  • 3
    Beware: if you're adding a secondary group to an existing user like www-data, and its home does not exist (/var/www/), it will be created! To avoid thise, you must specify create_home: no. Commented Aug 24, 2022 at 8:54
25

Please note that {{ user }} was changed to {{ ansible_user }} in recent Ansible versions (https://github.com/ansible/ansible/blob/c600ab81ee/lib/ansible/playbook/play_context.py#L46-L55). Alternatively, you can also use ansible_ssh_user - it's the same. So, the updated code from admirabilis looks like:

- name: adding existing user "{{ ansible_user }}" to group sudo user: name: "{{ ansible_user }}" groups: sudo append: yes become: yes

More fixes:

  • Use double quotes so the variable expands
  • Add become: yes since it needs administrative privileges to change the groups file
Improve this answer
1
  • The question says "a user", it doesn't say "the user executing Ansible". Commented Apr 24, 2023 at 17:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.