ANSIBLE

How to Add a User to Sudoers in Ansible

- by Hitesh Jethva 23
How to Add a User to Sudoers in Ansible

Ansible is a handy tool for automating tasks, including user management on Linux servers. One common task is adding users to the sudoers list, which grants administrative privileges. In Linux, the sudoers file controls which users have permission to run commands as the root user or other specified users. Automating this task with Ansible can save time, reduce errors, and streamline your system administration processes.

In this guide, we will learn how to use Ansible to add a user to the sudoers using different ways.

Let’s dive into each method with examples.

Method 1: Using the Ansible user Module

In this method, we will use the Ansible user module to create a new user and add them to the sudo group, which typically grants sudo access.

Here’s an Example:

---
- name: Add user to sudo group using Ansible user module
  hosts: all
  become: true
  tasks:
    - name: Create a new user 'devuser'
      ansible.builtin.user:
        name: devuser
        state: present

    - name: Add 'devuser' to the sudo group
      ansible.builtin.user:
        name: devuser
        groups: sudo
        append: true

The above configuration creates a new user devuser and adds them to the sudo group. The append: true option ensures that the user is added to the group without removing them from existing groups.

Method 2: Using the lineinfile Module

If you want to directly add a user to the sudoers file, you can use the lineinfile module. This method is useful when you need to specify custom sudo permissions.

Playbook Example:

---
- name: Add user to sudoers file using lineinfile module
  hosts: all
  become: true
  tasks:
    - name: Add 'devuser' to sudoers file
      ansible.builtin.lineinfile:
        path: /etc/sudoers
        line: 'devuser ALL=(ALL:ALL) NOPASSWD:ALL'
        validate: 'visudo -cf %s'

This playbook uses the lineinfile module to add a line to the /etc/sudoers file. The validate option runs visudo to check the syntax before making changes, preventing errors.

Method 3: Using the copy Module

This method uses the copy module to deploy a custom sudoers configuration file. It’s useful for environments where you want standardized sudo configurations across multiple servers.

Playbook Example:

---
- name: Add user to sudoers using copy module
  hosts: all
  become: true
  tasks:
    - name: Copy custom sudoers file
      ansible.builtin.copy:
        src: files/my_sudoers
        dest: /etc/sudoers.d/devuser
        mode: '0440'

Now, create a my_sudoers file inside the files directory with the following content:

devuser ALL=(ALL:ALL) NOPASSWD:ALL

This playbook copies a custom sudoers configuration file to /etc/sudoers.d/devuser. The file permissions are set to 0440 to ensure it is read-only for security purposes. This configuration also allows users to run commands without providing a sudo password.

Verify the Sudo Access

To verify if a user has sudo access using Ansible, you can create a simple playbook that checks if the user can execute a command with elevated privileges using become: true.

Let’s see the below example playbook:

---
- name: Verify if a user has sudo access
  hosts: all
  become: true
  become_user: devuser
  tasks:
    - name: Check sudo access for the user
      ansible.builtin.command: whoami
      register: result
      ignore_errors: true

    - name: Display sudo access result
      debug:
        msg: "The user has sudo access."
      when: result.stdout == "root"

    - name: Display no sudo access result
      debug:
        msg: "The user does NOT have sudo access."
      when: result.stdout != "root"

Explanation:

  • become_user: Switches to the specified user (devuser in this example).
  • command: Executes the whoami command to check the current user identity.
  • debug: Outputs whether the user has sudo access based on the result.

Now, run the above playbook.

 # ansible-playbook verify_sudo_access.yml

If the user has sudo access, you will get the following output:

TASK [Display sudo access result] **********************************************
ok: [localhost] => {
    "msg": "The user has sudo access."
}

If the user does not have sudo access, you should see the following output:

TASK [Display no sudo access result] *******************************************
ok: [localhost] => {
    "msg": "The user does NOT have sudo access."
}

Conclusion

In this article, we covered three methods for adding a user to the sudoers list using the user, lineinfile and the copy module. Each method has its own use case, and the choice depends on your specific requirements.

FAQs

1. How do I safely edit the sudoers file with Ansible?

Use the lineinfile with the validate: 'visudo -cf %s' option to check the syntax before applying changes.

2. Can I conditionally add a user to sudoers in Ansible?

Yes, you can use when conditions to add users based on specific criteria or variables.

3. How can I verify if a user has sudo access using Ansible?

You can check group membership with the groups command or test sudo access using a simple command task like whoami with become: true.

Post Views: 23

Related Posts

Ansible Script Module

Execute a Shell Script on a Remote Server with Ansible Script Module

Ansible Playbook Dry Run and Check Mode

Ansible Playbook Dry Run: How to Run Playbook in “Check Mode”

Ansible File Module

How to Create Files and Directories Using Ansible File Module

About Hitesh Jethva

I am Hitesh Jethva, Founder and Author at Code2DevOps.com. With over 15 years of experience in DevOps and open source technologies, I am passionate about empowering teams through automation, continuous integration, and scalable solutions.

View all posts by Hitesh Jethva