Parameter | Choices/Defaults | Comments |
---|---|---|
conn_limit
-
added in 2.4 |
Specifies the user connection limit.
|
|
db
-
|
Name of database where permissions will be granted.
|
|
encrypted
boolean
added in 1.4 |
|
Whether the password is stored hashed in the database. Passwords can be passed already hashed or unhashed, and postgresql ensures the stored password is hashed when
encrypted is set.Note: Postgresql 10 and newer doesn't support unhashed passwords.
Previous to Ansible 2.6, this was
no by default. |
expires
-
added in 1.4 |
The date at which the user's password is to expire.
If set to
'infinity' , user's password never expire.Note that this value should be a valid SQL date and time type.
|
|
fail_on_user
boolean
|
|
If
yes , fail when user can't be removed. Otherwise just log and continue. |
login_host
-
|
Default: localhost
|
Host running PostgreSQL.
|
login_password
-
|
Password used to authenticate with PostgreSQL.
|
|
login_unix_socket
-
|
Path to a Unix domain socket for local connections.
|
|
login_user
-
|
Default: postgres
|
User (role) used to authenticate with PostgreSQL.
|
name
-
/ required
|
Name of the user (role) to add or remove.
|
|
no_password_changes
boolean
added in 2.0 |
|
If
yes , don't inspect database for password changes. Effective when pg_authid is not accessible (such as AWS RDS). Otherwise, make password changes as necessary. |
password
-
|
Set the user's password, before 1.4 this was required.
Password can be passed unhashed or hashed (MD5-hashed).
Unhashed password will automatically be hashed when saved into the database if
encrypted parameter is set, otherwise it will be save in plain text format.When passing a hashed password it must be generated with the format
'str["md5"] + md5[ password + username ]' , resulting in a total of 35 characters. An easy way to do this is echo "md5$(echo -n 'verysecretpasswordJOE' | md5sum ").Note that if the provided password string is already in MD5-hashed format, then it is used as-is, regardless of
encrypted parameter. |
|
port
-
|
Default: 5432
|
Database port to connect to.
|
priv
-
|
PostgreSQL privileges string in the format:
table:priv1,priv2 . |
|
role_attr_flags
-
|
|
PostgreSQL role attributes string in the format: CREATEDB,CREATEROLE,SUPERUSER.
Note that '[NO]CREATEUSER' is deprecated.
|
ssl_mode
-
added in 2.3 |
|
Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server.
See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes.
Default of
prefer matches libpq default. |
ssl_rootcert
-
added in 2.3 |
Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities.
|
|
state
-
|
|
The user (role) state.
|
Note
# Create django user and grant access to database and products table
- postgresql_user:
db: acme
name: django
password: ceec4eif7ya
priv: "CONNECT/products:ALL"
expires: "Jan 31 2020"
# Create rails user, set its password (MD5-hashed) and grant privilege to create other
# databases and demote rails from super user status
- postgresql_user:
name: rails
password: md59543f1d82624df2b31672ec0f7050460
role_attr_flags: CREATEDB,NOSUPERUSER
# Remove test user privileges from acme
- postgresql_user:
db: acme
name: test
priv: "ALL/products:ALL"
state: absent
fail_on_user: no
# Remove test user from test database and the cluster
- postgresql_user:
db: test
name: test
priv: ALL
state: absent
# Set user's password with no expire date
- postgresql_user:
db: acme
name: django
password: mysupersecretword
priv: "CONNECT/products:ALL"
expires: infinity
# Example privileges string format
# INSERT,UPDATE/table:SELECT/anothertable:ALL
# Remove an existing user's password
- postgresql_user:
db: test
user: test
password: ""
Hint
If you notice any issues in this documentation you can edit this document to improve it.