Parameter | Choices/Defaults | Comments |
---|---|---|
ca_cert
string
added in 2.3 |
Specifies the name of a file containing SSL certificate authority (CA) certificate(s).
If the file exists, the server's certificate will be verified to be signed by one of these authorities.
aliases: ssl_rootcert |
|
conn_limit
integer
added in 2.4 |
Specifies the user (role) connection limit.
|
|
db
string
|
Name of database to connect to and where user's permissions will be granted.
aliases: login_db |
|
encrypted
boolean
|
|
Whether the password is stored hashed in the database.
Passwords can be passed already hashed or unhashed, and postgresql ensures the stored password is hashed when
encrypted is set.Note: Postgresql 10 and newer doesn't support unhashed passwords.
Previous to Ansible 2.6, this was
no by default. |
expires
string
|
The date at which the user's password is to expire.
If set to
'infinity' , user's password never expire.Note that this value should be a valid SQL date and time type.
|
|
fail_on_user
boolean
|
|
If
yes , fail when user (role) can't be removed. Otherwise just log and continue.aliases: fail_on_role |
login_host
string
|
Host running the database.
|
|
login_password
string
|
The password used to authenticate with.
|
|
login_unix_socket
string
|
Path to a Unix domain socket for local connections.
|
|
login_user
string
|
Default: "postgres"
|
The username used to authenticate with.
|
name
string
/ required
|
Name of the user (role) to add or remove.
aliases: user |
|
no_password_changes
boolean
added in 2.0 |
|
If
yes , don't inspect database for password changes. Effective when pg_authid is not accessible (such as AWS RDS). Otherwise, make password changes as necessary. |
password
string
|
Set the user's password, before 1.4 this was required.
Password can be passed unhashed or hashed (MD5-hashed).
Unhashed password will automatically be hashed when saved into the database if
encrypted parameter is set, otherwise it will be save in plain text format.When passing a hashed password it must be generated with the format
'str["md5"] + md5[ password + username ]' , resulting in a total of 35 characters. An easy way to do this is echo "md5$(echo -n 'verysecretpasswordJOE' | md5sum | awk '{print $1}' ").Note that if the provided password string is already in MD5-hashed format, then it is used as-is, regardless of
encrypted parameter. |
|
port
integer
|
Default: 5432
|
Database port to connect to.
aliases: login_port |
priv
string
|
Slash-separated PostgreSQL privileges string:
priv1/priv2 , where privileges can be defined for database ( allowed options - 'CREATE', 'CONNECT', 'TEMPORARY', 'TEMP', 'ALL'. For example CONNECT ) or for table ( allowed options - 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'ALL'. For example table:SELECT ). Mixed example of this string: CONNECT/CREATE/table1:SELECT/table2:INSERT . |
|
role_attr_flags
string
|
|
PostgreSQL user attributes string in the format: CREATEDB,CREATEROLE,SUPERUSER.
Note that '[NO]CREATEUSER' is deprecated.
To create a simple role for using it like a group, use
NOLOGIN flag. |
session_role
string
added in 2.8 |
Switch to session_role after connecting.
The specified session_role must be a role that the current login_user is a member of.
Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
|
|
ssl_mode
string
added in 2.3 |
|
Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server.
See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes.
Default of
prefer matches libpq default. |
state
string
|
|
The user (role) state.
|
Note
postgres
account on the host.postgresql
, libpq-dev
, and python-psycopg2
packages on the remote host before using this module.- name: Connect to acme database, create django user, and grant access to database and products table
postgresql_user:
db: acme
name: django
password: ceec4eif7ya
priv: "CONNECT/products:ALL"
expires: "Jan 31 2020"
# Connect to default database, create rails user, set its password (MD5-hashed),
# and grant privilege to create other databases and demote rails from super user status if user exists
- name: Create rails user, set MD5-hashed password, grant privs
postgresql_user:
name: rails
password: md59543f1d82624df2b31672ec0f7050460
role_attr_flags: CREATEDB,NOSUPERUSER
- name: Connect to acme database and remove test user privileges from there
postgresql_user:
db: acme
name: test
priv: "ALL/products:ALL"
state: absent
fail_on_user: no
- name: Connect to test database, remove test user from cluster
postgresql_user:
db: test
name: test
priv: ALL
state: absent
- name: Connect to acme database and set user's password with no expire date
postgresql_user:
db: acme
name: django
password: mysupersecretword
priv: "CONNECT/products:ALL"
expires: infinity
# Example privileges string format
# INSERT,UPDATE/table:SELECT/anothertable:ALL
- name: Connect to test database and remove an existing user's password
postgresql_user:
db: test
user: test
password: ""
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
queries
list
added in 2.8 |
always |
List of executed queries.
Sample:
['CREATE USER "alice"', 'GRANT CONNECT ON DATABASE "acme" TO "alice"']
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.