97

How can I add a user to additional groups with Ansible? For example, I would like to add a user to the sudo group without replacing the user's existing set of groups.

user2514157
  • 103
  • 3
vdboor
  • 3,800
  • 3
  • 31
  • 32

3 Answers3

139

If {{ user }} already exists in the system, you should use the following to just add it to a group:

- name: adding existing user '{{ user }}' to group sudo
  user:
    name: '{{ user }}'
    groups: sudo
    append: yes

To add it to a set of groups, you can use a comma separated list, for example groups: admin,sudo.

Just beware that if you omit append: yes, your user will be removed from all other groups, according to the usermod man page. That would useful if you want to use a specific list of groups a user should belong to.

admirabilis
  • 1,605
  • 3
  • 11
  • 10
  • 25
    …and beware not to write `group:` without the `s`, as this will change the primary GID. – Serge Stroobandt Jun 15 '17 at 20:01
  • ... and beware that if the user does not exist it will will be created! – EM0 Jan 24 '19 at 14:03
  • @EM0 Yes, the `user` module is supposed to create users if they don't exist, however, the user should review his code if he is trying to modify users that are not even supposed to exist. – admirabilis Jan 24 '19 at 16:48
  • 1
    Beware: if you're adding a secondary group to an existing user like `www-data`, and its home does not exist (`/var/www/`), it will be created! To avoid thise, you must specify `create_home: no`. – 4wk_ Aug 24 '22 at 08:54
69

According to the User module you can use this:

- name: Adding user {{ user }}  
  user: name={{ user }}
        group={{ user }}
        shell=/bin/bash
        password=${password}
        groups=sudo
        append=yes

You can just add the groups=groupname and append=yes to add them to an existing user when you're creating them

yaobin
  • 113
  • 6
art3mis
  • 1,008
  • 9
  • 4
  • 3
    Thanks, the `append=yes` is indeed what I'm looking for! – vdboor Oct 26 '13 at 09:21
  • 1
    There seems to be an issue with this : what if the user already exists and I just want to add or remove them from a group ? I'm not 100% sure but I think that the "group" attribute is considered only when creating the user. – jlecour Jul 19 '16 at 15:41
  • 4
    I really have an issue with this being the accepted answer, as the question does not state "create a user and add it to a specific group". If we come from a Google search because of the question's title, we'd most likely want to add an existing user to a group. – Daniel F Aug 27 '18 at 11:06
  • How to do it when using "local=yes"? – KumZ Apr 28 '20 at 13:53
21

Please note that {{ user }} was changed to {{ ansible_user }} in recent Ansible versions (https://github.com/ansible/ansible/blob/c600ab81ee/lib/ansible/playbook/play_context.py#L46-L55). Alternatively, you can also use ansible_ssh_user - it's the same. So, the updated code from admirabilis looks like:

- name: adding existing user "{{ ansible_user }}" to group sudo
  user:
    name: "{{ ansible_user }}"
    groups: sudo
    append: yes
  become: yes

More fixes:

  • Use double quotes so the variable expands
  • Add become: yes since it needs administrative privileges to change the groups file
tinlyx
  • 119
  • 8
ctW7dY2RcIY0pN010bC7Rv7N0
  • 219
  • 2
  • 2