Home / How-to Guides
Edit
Report

Create a Super Admin with the Admin API

Uses: Kong Gateway
Related Documentation
All Gateway Documentation
Incompatible with
konnect
Tags
#authorization #access-control #rbac
Related Resources
Gateway RBAC
Gateway Groups
Gateway Admins
Gateway Workspaces
Create an RBAC user with custom permissions
Minimum Version
Kong Gateway - 3.4
TL;DR

After enabling RBAC, you can create a Super Admin user by issuing a POST request to the /rbac/users/ endpoint. Then associate the user to the super-admin role.

Prerequisites

Kong Gateway running with RBAC enabled

This tutorial requires Kong Gateway Enterprise.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script with RBAC enabled:

     curl -Ls get.konghq.com/quickstart | bash -s -- -e "KONG_LICENSE_DATA" \
      -e "KONG_ENFORCE_RBAC=on" \
      -e "KONG_ADMIN_GUI_AUTH=basic-auth" \
      -e "KONG_PASSWORD=kong" \
      -e 'KONG_ADMIN_GUI_SESSION_CONF={"secret":"kong", "cookie_lifetime":300000, "cookie_renew":200000, "cookie_name":"kong_cookie", "cookie_secure":false, "cookie_samesite": "off"}'

    For more information about the values see the RBAC reference. Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

Configure environment variables

Set the following variables:

  • KONG_ADMIN_TOKEN: The kong_password variable set when configuring Kong Gateway
  • ADMIN_NAME: The name of the RBAC user that will be associated with the Super Admin Role.
  • USER_TOKEN: The authentication token to be presented to the Admin API. For example: 
    export KONG_ADMIN_TOKEN=kong
export ADMIN_NAME=tim
export USER_TOKEN=my-admin-token

Create the super-admin RBAC user

  1. Create an RBAC user: 

    curl -X POST "http://localhost:8001/rbac/users" \
     -H "Accept: application/json"\
     -H "Content-Type: application/json"\
     -H "Kong-Admin-Token: $KONG_ADMIN_TOKEN" \
     --json '{
       "name": "'$ADMIN_NAME'",
       "user_token": "'$USER_TOKEN'"
     }'

  2. Associate the user to the super-admin role:

    curl -X POST "http://localhost:8001/rbac/users/$ADMIN_NAME/roles" \
     -H "Accept: application/json"\
     -H "Content-Type: application/json"\
     -H "Kong-Admin-Token: $KONG_ADMIN_TOKEN" \
     --json '{
       "roles": "super-admin"
     }'

Validate

You can validate that the super-admin role was correctly assigned to the RBAC user using the /rbac/users/{user}/roles endpoint:

curl "http://localhost:8001/rbac/users/$ADMIN_NAME/roles" \
     -H "Kong-Admin-Token: $KONG_ADMIN_TOKEN"

If this was configured correctly the response body will look like this:

{
	"user": {
		"enabled": true,
		"updated_at": 1737490456,
		"comment": null,
		"id": "49a1d4e5-e306-4b2d-a343-8973afd1360d",
		"created_at": 1737490456,
		"user_token_ident": "40a46",
		"name": "tim",
		"user_token": "$2b$09$578ORHJCMmpvDTVbB6hDkeIDsXZkUcgBQRemXdrwH2ex8IYBKWSE."
	},
	"roles": [
		{
			"created_at": 1737488148,
			"role_source": "local",
			"name": "super-admin",
			"updated_at": 1737488148,
			"ws_id": "fcde03f2-738e-4b29-a63e-fe0cdcc9a76e",
			"comment": "Full access to all endpoints, across all workspaces",
			"id": "3d7d7bfc-b894-4d9f-b28f-c9396bce201a"
		}
	]
}

You can see that the RBAC role assigned to the user is super-admin.

Cleanup

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support