Automated User and Group Management with Ansible and Ansible Vault

Objective

To automate the creation of users, assignment to groups, and password management across multiple Linux servers using Ansible. Sensitive data such as passwords will be securely stored using Ansible Vault to ensure security.

Task Architecture

Ansible Control Node: The machine where Ansible is installed and executed.
Managed Nodes: Target Linux servers where users and groups will be created.
Inventory File: Defines the list of managed nodes.
Playbook & Roles:
- User Management Role: Handles user creation, group assignment, and password setup.
- Ansible Vault: Encrypts sensitive data (e.g., passwords).
Logs & Verification: Ansible logs and checks if users and groups were successfully created.

Technology Stack

Ansible (Automation)
Ansible Vault (Secure password encryption)
Linux (Ubuntu/CentOS/RHEL) (Target OS)
SSH (Secure communication)
YAML (Playbooks)
Jinja2 (Templates)

Implementation Steps

Step 1: Setup Ansible Environment

sudo apt update && sudo apt install -y ansible

ssh-keygen -t rsa -b 4096
ssh-copy-id user@managed_node_ip

Step 2: Create Inventory File

[linux_servers]
server1 ansible_host=192.168.1.10 ansible_user=admin
server2 ansible_host=192.168.1.11 ansible_user=admin

Step 3: Create Ansible Vault for Secure Password Storage

ansible-vault create secret.yml

users:
  - name: devuser
    password: "$6$rounds=5000$EXAMPLE$hash"
  - name: opsuser
    password: "$6$rounds=5000$EXAMPLE$hash"

ansible-vault encrypt secret.yml

ansible-vault edit secret.yml

Step 4: Create Ansible Role for User Management

ansible-galaxy init roles/user_management

- name: Create user accounts
  user:
    name: "{{ item.name }}"
    password: "{{ item.password }}"
    state: present
    shell: /bin/bash
    groups: "developers"
    append: yes
  loop: "{{ users }}"

Step 5: Create Ansible Playbook

---
- name: Manage Users and Groups
  hosts: linux_servers
  become: yes
  vars_files:
    - secret.yml
  roles:
    - user_management

Step 6: Run Ansible Playbook

ansible-playbook user_management.yml --ask-vault-pass

cat /etc/passwd | grep devuser
cat /etc/group | grep developers

Security Best Practices

Use SSH key-based authentication for secure access.
Encrypt passwords using Ansible Vault.
Define role-based access control (RBAC) by assigning users to specific groups.
Log and audit user creation actions.

Expected Outcome

Users (devuser, opsuser) are created on all managed nodes.
Users are assigned to the appropriate groups.
Passwords are securely managed using Ansible Vault.
SSH service is restarted if needed.

This setup ensures scalable, automated user and group management with secure password handling using Ansible and Ansible Vault.