Enable RBAC with the Admin API
To configure RBAC, create a Super Admin user using the /rbac/users endpoint, then enable RBAC on Kong Gateway by setting the enable_rbac setting to on in kong.conf.
Prerequisites
Kong Gateway running
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
-
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'Copied! -
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATACopied!Once Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
Configure environment variables
Set the user_token, which is the authentication token that’s presented to the Admin API. For example:
export USER_TOKEN=my-admin-token
Create an RBAC Super Admin
In Kong Gateway, a Super Admin has the ability to manage Roles and permissions across Workspaces. Because the username super-admin matches the super-admin RBAC Role, the new user is automatically added to the super-admin Role.
-
Create an RBAC Super Admin by sending a
POSTrequest to the/rbac/usersendpoint:curl -X POST "http://localhost:8001/rbac/users" \ --no-progress-meter --fail-with-body \ -H "Accept: application/json"\ -H "Content-Type: application/json" \ --json '{ "name": "super-admin", "user_token": "'$USER_TOKEN'" }'Copied! -
Validate the user was created correctly by sending a
GETrequest to the/rbac/users/{name_or_id}/rolesendpoint:curl "http://localhost:8001/rbac/users/super-admin/roles" \ --no-progress-meter --fail-with-bodyCopied!
The response body contains information about the super-admin user including a comment field that details what permissions the super-admin role contains and a hashed user_token.
{
"user": {
"created_at": 1737580506,
"enabled": true,
"updated_at": 1737580506,
"id": "7d4be888-72f4-4301-b6f7-18d157976f53",
"user_token_ident": "bd4fa",
"name": "super-admin",
"user_token": "$2b$09$SbBJHLkmYuUC2XtfmsYMKeJB/IkfBQeZDamEKGMMAbDtHcg8QlyQC",
"comment": null
},
"roles": [
{
"role_source": "local",
"updated_at": 1737580488,
"comment": "Full access to all endpoints, across all workspaces",
"created_at": 1737580488,
"id": "d49ccbd7-79a9-4687-abb2-4647e4114d92",
"name": "super-admin",
"ws_id": "9fb43832-6ce2-425d-9a33-5450b24b2c00"
}
]
}
Enable RBAC
With a super-admin created, you can proceed to enable RBAC. The super-admin User is a requirement because after enabling RBAC, you will be required to pass the user_token value as a header in all requests. Enabling RBAC requires restarting or reloading Kong Gateway. If you are using the deploy script, this is done from within the Kong Gateway Docker container.
export KONG_ENFORCE_RBAC=on && kong reload
Validate
After the Super Admin is created and RBAC is enabled, the user_token must be passed with Admin API requests otherwise the API will return a 401 Unauthorized error.
You can validate that RBAC is enabled by attempting to access the user list without a user_token:
curl "http://localhost:8001/rbac/users/" \
--no-progress-meter --fail-with-body
If RBAC was enabled correctly, this request will return:
{
"message": "Invalid RBAC credentials"
}
Passing the same request with the user-token will return a 200 and the list of Kong Gateway users.
curl "http://localhost:8001/rbac/users" \
--no-progress-meter --fail-with-body \
-H "Kong-Admin-Token: $USER_TOKEN"