Parameter |
Choices/Defaults |
Comments |
|---|---|---|
|
conn_limit
(added in 2.4) |
|
Specifies the user connection limit.
|
|
db
|
|
name of database where permissions will be granted
|
|
encrypted
(added in 1.4) |
|
whether the password is stored hashed in the database. boolean. Passwords can be passed already hashed or unhashed, and postgresql ensures the stored password is hashed when encrypted is set.
|
|
expires
(added in 1.4) |
|
The date at which the user's password is to expire.
If set to
'infinity', user's password never expire.Note that this value should be a valid SQL date and time type.
|
|
fail_on_user
|
|
if
yes, fail when user can't be removed. Otherwise just log and continue |
|
login_host
|
Default:
localhost
|
Host running PostgreSQL.
|
|
login_password
|
|
Password used to authenticate with PostgreSQL
|
|
login_unix_socket
|
|
Path to a Unix domain socket for local connections
|
|
login_user
|
Default:
postgres
|
User (role) used to authenticate with PostgreSQL
|
|
name
required |
|
name of the user (role) to add or remove
|
|
no_password_changes
(added in 2.0) |
|
if
yes, don't inspect database for password changes. Effective when pg_authid is not accessible (such as AWS RDS). Otherwise, make password changes as necessary. |
|
password
|
|
set the user's password, before 1.4 this was required.
When passing an encrypted password, the encrypted parameter must also be true, and it must be generated with the format
'str[\"md5\"] + md5[ password + username ]', resulting in a total of 35 characters. An easy way to do this is: echo \"md5`echo -n \"verysecretpasswordJOE\" | md5`\". Note that if the provided password string is already in MD5-hashed format, then it is used as-is, regardless of encrypted parameter.
|
|
port
|
Default:
5432
|
Database port to connect to.
|
|
priv
|
|
PostgreSQL privileges string in the format:
table:priv1,priv2 |
|
role_attr_flags
|
|
PostgreSQL role attributes string in the format: CREATEDB,CREATEROLE,SUPERUSER
Note that '[NO]CREATEUSER' is deprecated.
|
|
ssl_mode
(added in 2.3) |
|
Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server.
See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes.
Default of
prefer matches libpq default. |
|
ssl_rootcert
(added in 2.3) |
|
Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities.
|
|
state
|
|
The user (role) state
|
Note
# Create django user and grant access to database and products table
- postgresql_user:
db: acme
name: django
password: ceec4eif7ya
priv: "CONNECT/products:ALL"
# Create rails user, grant privilege to create other databases and demote rails from super user status
- postgresql_user:
name: rails
password: secret
role_attr_flags: CREATEDB,NOSUPERUSER
# Remove test user privileges from acme
- postgresql_user:
db: acme
name: test
priv: "ALL/products:ALL"
state: absent
fail_on_user: no
# Remove test user from test database and the cluster
- postgresql_user:
db: test
name: test
priv: ALL
state: absent
# Set user's password with no expire date
- postgresql_user:
db: acme
name: django
password: mysupersecretword
priv: "CONNECT/products:ALL"
expire: infinity
# Example privileges string format
# INSERT,UPDATE/table:SELECT/anothertable:ALL
# Remove an existing user's password
- postgresql_user:
db: test
user: test
password: NULL
This module is flagged as stableinterface which means that the maintainers for this module guarantee that no backward incompatible interface changes will be made.
Hint
If you notice any issues in this documentation you can edit this document to improve it.