Creating users with strong, random passwords is critical to maintaining system security. Instead of generating and managing these manually, you can automate the process using Ansible, saving time while reducing the risk of weak or reused passwords.
In this guide, you’ll learn three effective methods to generate secure, random passwords and create user accounts with Ansible
Table of Contents
Why Use Random Passwords?
Using random passwords ensures that each user account is protected with a strong, unique password, reducing the risk of unauthorized access. Automated random password generation is particularly useful when:
Strong and unique passwords reduce the risk of brute-force or credential stuffing attacks.
Automation avoids human error and ensures consistency.
Helpful for creating temporary, service, or disposable accounts securely.
Method Comparison Table
| Method | Tool Used | Pros | Considerations |
|---|---|---|---|
| Method 1 | openssl | Universal, no extra dependencies | Requires shell execution |
| Method 2 | pwgen (community.general) | Customizable passwords | Requires external tool installation |
| Method 3 | lookup('password') | Native, secure, built-in to Ansible | Requires no shell execution |
Method 1: Using the Ansible shell Module with OpenSSL
In this method, we’ll use the shell module to generate a random password and create a user with it.
Here is an example playbook.
---
- name: Create a user with random password using openssl
hosts: all
become: true
tasks:
- name: Generate random password
ansible.builtin.shell: "openssl rand -base64 12"
register: random_password
- name: Create user with random password
ansible.builtin.user:
name: devuser
password: "{{ random_password.stdout | password_hash('sha512') }}"
- name: Display generated password
debug:
msg: "Generated password for devuser: {{ random_password.stdout }}"Now, run the above playbook.
# ansible-playbook create_random_user_openssl.ymlOutput:
PLAY [Create a user with random password using openssl] ***********************
TASK [Generate random password] ***********************************************
changed: [localhost]
TASK [Create user with random password] ***************************************
changed: [localhost]
TASK [Display generated password] *********************************************
ok: [localhost] => {
"msg": "Generated password for devuser: XyZ123$abc!"
}
PLAY RECAP ********************************************************************
localhost : ok=3 changed=2 unreachable=0 failed=0In the above playbook:
- We use openssl rand -base64 12 to generate a 12-character random password.
- The password is hashed using password_hash(‘sha512’) before creating the user.
- The generated password is displayed using the debug module.
Method 2: Using the community.general.pwgen Plugin
The community.general.pwgen plugin provides an easy way to generate random passwords. This method is recommended if you prefer using Ansible’s built-in capabilities.
Example Playbook
---
- name: Create a user with random password using pwgen
hosts: all
become: true
tasks:
- name: Install pwgen (if not already installed)
ansible.builtin.package:
name: pwgen
state: present
- name: Generate random password using pwgen
ansible.builtin.shell: "pwgen -s 12 1"
register: random_password
- name: Create user with generated password
ansible.builtin.user:
name: devuser
password: "{{ random_password.stdout | password_hash('sha512') }}"
- name: Save password to a secure file
ansible.builtin.copy:
content: "{{ random_password.stdout }}"
dest: /root/devuser_password.txt
mode: '0600'In this playbook:
- We use the pwgen command to generate a secure 12-character password.
- The password is hashed and used to create the user.
- The password is saved to a file with restricted permissions using the copy module.
Method 3: Generating and Storing Random Passwords Using the lookup Plugin
The lookup plugin in Ansible can generate random passwords using the password generator.
Here is a playbook to generate a random password:
---
- name: Create a user with random password using lookup plugin
hosts: all
become: true
tasks:
- name: Generate random password using lookup plugin
set_fact:
random_password: "{{ lookup('password', '/dev/null length=12 chars=ascii_letters,digits') }}"
- name: Create user with random password
ansible.builtin.user:
name: devuser
password: "{{ random_password | password_hash('sha512') }}"
- name: Save password to a file
ansible.builtin.copy:
content: "devuser password: {{ random_password }}"
dest: /root/devuser_password.txt
mode: '0600'Explanation:
- The lookup plugin generates a random password using the password generator.
- The password is hashed and used to create the user.
- The password is securely stored in a file with restricted access.
Conclusion
Automating user creation with random, secure passwords using Ansible enhances your infrastructure’s security and eliminates repetitive, error-prone manual steps.
Whether you choose OpenSSL, pwgen, or Ansible’s built-in lookup, each method offers a simple, scalable solution for secure account provisioning.
FAQs
1. How do I securely store the generated password in Ansible?
Save the password to a file with restricted permissions or use Ansible Vault for encryption.
2. Why should I use random passwords for new users in Ansible?
Random passwords are strong and unique, reducing the risk of unauthorized access and improving security.
3. How do I handle existing users when running the playbook?
Use the state: present option in the user module to ensure the user exists without making changes if the user is already present.
