🚀 rbac: Allow the RBAC backend API to be called via a specified service token, rather than only authorized user tokens

[mcintoac-aws]

🔖 Feature description

I'm not sure if this is already possible, but I am struggling to find a way to accomplish this. Specifically I am trying to initialize RBAC-plugin roles and policies on startup via the API, rather than the default-policies csv file.

🎤 Context

This is important for my use case because I then want to be able to add users to these roles via the RBAC UI, therefore the source of the initial roles has to be the API rather than the CSV file.

I've tried to do this via a backend module, via the init function, however the RBAC-backend API does not support calls from service tokens, only authorized user tokens.

Any ideas on this? Or is this possibly a feature request?

✌️ Possible Implementation

No response

👀 Have you spent some time to check if this feature request has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

Are you willing to submit PR?

None

[mcintoac-aws]

@AndrienkoAleksandr @dzemanov @christoph-jerolimov @PatAKnight

Tagging code owners for visibility. Thank you in advance for any thoughts or suggestions.

[j-riobello2]

Hello,
We need this feature too. Accidentally open incident in backstage project, I add link here issue 28720

[dzemanov]

Hi @j-riobello2 and @mcintoac-aws, currently we do not support service-to-service auth for the modify operations in RBAC due to security risks. We do have tickets to investigate the service-to-service auth flow to determine how this can be implemented securely, @kim-tsao would have more information about that. We have also passed this feature request on over to our PM for review.