Enable RBAC with the Admin API

Uses: Kong Gateway

Deployment Platform:

Prerequisites

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

Export your license to an environment variable:

 export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

Run the quickstart script:

 curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA 

Once Kong Gateway is ready, you will see the following message:

 Kong Gateway Ready

Configure environment variables

Set the user_token, which is the authentication token that’s presented to the Admin API. For example:

export USER_TOKEN=my-admin-token

Create an RBAC Super Admin

In Kong Gateway, a Super Admin has the ability to manage Roles and permissions across Workspaces. Because the username super-admin matches the super-admin RBAC Role, the new user is automatically added to the super-admin Role.

Create an RBAC Super Admin by sending a POST request to the /rbac/users endpoint:

curl -X POST "http://localhost:8001/rbac/users" \
     -H "Accept: application/json"\
     -H "Content-Type: application/json" \
     --json '{
       "name": "super-admin",
       "user_token": "'$USER_TOKEN'"
     }'

Validate the user was created correctly by sending a GET request to the /rbac/users/{name_or_id}/roles endpoint:
```
curl "http://localhost:8001/rbac/users/super-admin/roles"
```

The response body contains information about the super-admin user including a comment field that details what permissions the super-admin role contains and a hashed user_token.

    {
    "user": {
        "created_at": 1737580506,
        "enabled": true,
        "updated_at": 1737580506,
        "id": "7d4be888-72f4-4301-b6f7-18d157976f53",
        "user_token_ident": "bd4fa",
        "name": "super-admin",
        "user_token": "$2b$09$SbBJHLkmYuUC2XtfmsYMKeJB/IkfBQeZDamEKGMMAbDtHcg8QlyQC",
        "comment": null
    },
    "roles": [
        {
        "role_source": "local",
        "updated_at": 1737580488,
        "comment": "Full access to all endpoints, across all workspaces",
        "created_at": 1737580488,
        "id": "d49ccbd7-79a9-4687-abb2-4647e4114d92",
        "name": "super-admin",
        "ws_id": "9fb43832-6ce2-425d-9a33-5450b24b2c00"
        }
    ]
    }

Enable RBAC

With a super-admin created, you can proceed to enable RBAC. The super-admin User is a requirement because after enabling RBAC, you will be required to pass the user_token value as a header in all requests. Enabling RBAC requires restarting or reloading Kong Gateway. If you are using the deploy script, this is done from within the Kong Gateway Docker container.

export KONG_ENFORCE_RBAC=on && kong reload

Validate

After the Super Admin is created and RBAC is enabled, the user_token must be passed with Admin API requests otherwise the API will return a 401 Unauthorized error.

You can validate that RBAC is enabled by attempting to create a user like you did in the first step without passing the user_token:

curl "http://localhost:8001/rbac/users/"

If RBAC was enabled correctly, this request will return:

{
	"message": "Invalid RBAC credentials"
}

Passing the same request with the user-token will return a 200 and the list of Kong Gateway users.

curl "http://localhost:8001/rbac/users" \
     -H "Kong-Admin-Token: $USER_TOKEN"