Adding a user during startup of a machine using CloudFormation

Question

I am trying to create a user using CloudFormation after startup of a Linux machine. I use the following code to do so:

  Metadata:
  AWS::CloudFormation::Init:
    config:
      groups:
        ansible: {}
      users:
        ansible:
          groups:
            - "ansible"
          homeDir: "/home/ansible"
      files:
        /home/ansible/.ssh/authorized_keys:
          content: !Sub |
            '{{ resolve:secretsmanager:
              arn:aws:secretsmanager:eu-central-1:account:secret:secretname:
                SecretString:
                  secretstringpath }}'
          mode: "000644"
          owner: "ansible"
          group: "ansible"
Properties:
  UserData:
    Fn::Base64: !Sub |
      #!/bin/bash -xe
      yum update -y
      yum install -y aws-cfn-bootstrap
      /opt/aws/bin/cfn-init -v \
        --stack ${AWS::StackName} \
        --resource LinuxEC2Instance \
        --region ${AWS::Region}

However, during startup I get the following error message:

[ 96.72999017] cloud-init[2959]: Error occurred during build: Failed to add user ansible

What does this error mean? It does not seem to work as expected the way I do it ...

Answer 1

The problem is caused by adding the custom group with the same name as the new user. When CFN Init creates a new user it automatically creates a new group with the same name. So adding the custom group with the same name as the user is unnecessary and causes it throw this error when it tries to create the group again:

2023-03-02 14:18:55,764 [INFO] Created group nwuser successfully
2023-03-02 14:19:15,893 [ERROR] Failed to add user nwuser
2023-03-02 14:19:15,894 [ERROR] Error encountered during build of inst: Failed to add user nwuser
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/posix_security.py", line 77, in create_or_modify_user
    user_record = pwd.getpwnam(user_name)
KeyError: "getpwnam(): name not found: 'nwuser'"

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 579, in run_config
    CloudFormationCarpenter(config, self._auth_config, self.strict_mode).build(worklog)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 255, in build
    changes['users'] = UserTool().apply(self._config.users)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/user_group_tools.py", line 83, in apply
    if security.create_or_modify_user(name, attributes.get("groups", []), attributes.get("homeDir", None), uid):
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/posix_security.py", line 82, in create_or_modify_user
    _create_user(user_name, groups, homedir, uid)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/posix_security.py", line 147, in _create_user
    raise ToolError("Failed to add user %s" % user_name)
cfnbootstrap.construction_errors.ToolError: Failed to add user nwuser

Answer 2

For anyone coming across the Error occurred during build: Failed to add user error mentioned by Benny above, I managed to solve this by creating a second config and creating the users within it:

  Metadata:
  AWS::CloudFormation::Init:
  configSets: 
    ascending: 
      - "config1"
      - "config2"
    descending: 
      - "config2"
      - "config1"
    config1:
      groups:
        ansible: {}
    config2:
      users:
        ansible:
          groups:
            - "ansible"
          homeDir: "/home/ansible"

Answer 3

Before you can assign users to custom groups, you have to create such groups.

For that there is groups option in AWS::CloudFormation::Init.

For example:

groups: 
  ansible: {}