Ansible Role: Proxmox VE Permissions (Users/ACLs/Groups/Roles/Pools)

This Ansible Role sets up Users, Roles, Pools, and Groups on a Proxmox VE node.

Tested on Proxmox VE version 7.2.

Requirements

None.

Role Variables

You can use the following variables (see defaults/main.yml for default values):

• pve_permissions_roles: []
• pve_permissions_users: []
• pve_permissions_groups: []
• pve_permissions_pools: []

Roles

The pve_permissions_roles variable should list roles to create. Each role needs:

• name: the name of the role
• privs: a list of privileges for that role. Find the complete list of privileges here under Permission Management > Privileges.

Example of Role Configuration:

pve_permissions_roles:
  - name: TerraformProv
    privs:
      - VM.Allocate
      - VM.Clone
      - VM.Config.CDROM
      - VM.Config.CPU
      - VM.Config.Cloudinit
      - VM.Config.Disk
      - VM.Config.HWType
      - VM.Config.Memory
      - VM.Config.Network
      - VM.Config.Options
      - VM.Monitor
      - VM.Audit
      - VM.PowerMgmt
      - Datastore.AllocateSpace
      - Datastore.Audit

Users

The pve_permissions_users variable is for defining users and their ACLs on a Proxmox host. Each user entry should include:

• name: username
• realm: user realm
• password: required for new users (not for the root user)
• Additional optional fields: email, comment, enable (1 or 0), expire, groups, firstname, lastname.

Find more details about each key in the PVE documentation.

Each user must also have a list of ACL permissions in the acls key, which defines a path and a role.

Example of User Configuration:

pve_permissions_users:
  - name: terraform
    realm: pve
    email: [email protected]
    firstname: terra
    lastname: form
    comment: Terraform user
    enable: "1"
    expire: "0"
    groups:
      - Group1
      - Group2
    password: "password"
    acls:
      - path: /
        role: TerraformProv

Note: You cannot assign new groups to an existing user due to a limitation in the pveum tool.

Groups

The pve_permissions_groups variable lists groups to create on the Proxmox instance. Each group should have:

• name: group name
• comment: description of the group’s purpose (optional).

Example of Group Configuration:

pve_permissions_groups:
  - name: Group1
    comment: My Group

Pools

The pve_permissions_pools variable should list pools to create on the Proxmox host. Each pool requires:

• name: the pool name
• comment: optional description of the pool’s purpose.

Example of Pool Configuration:

pve_permissions_pools:
  - name: terraform
    comment: Resources managed using terraform
  - name: ansible
    comment: Resources managed using ansible
  - name: manual
    comment: Manually created resources

Dependencies

None.

Example Playbook

Here's a simple playbook example:

- hosts: localhost
  
  vars:
    pve_permissions_roles:
      - name: TerraformProv
        privs:
          - VM.Allocate
          - VM.Clone
          - VM.Config.CDROM
          - VM.Config.CPU
          - VM.Config.Cloudinit
          - VM.Config.Disk
          - VM.Config.HWType
          - VM.Config.Memory
          - VM.Config.Network
          - VM.Config.Options
          - VM.Monitor
          - VM.Audit
          - VM.PowerMgmt
          - Datastore.AllocateSpace
          - Datastore.Audit
    pve_permissions_pools:
      - name: terraform
        comment: terraform resources
    pve_permissions_users:
      - name: terraform
        realm: pve
        password: "password"
        acls:
          - path: /
            role: TerraformProv
  roles:
    - simoncaron.pve_permissions

License

MIT

Author Information

This role was created in 2022 by Simon Caron.