Home / How-to Guides
Edit
Report

Create a Super Admin with the Admin API

Uses: Kong Gateway
Incompatible with
konnect
Related Documentation
Gateway Documentation
Tags
#authorization #access-control #rbac
Related Resources
Gateway RBAC
Gateway Groups
Gateway Admins
Gateway Workspaces
Create an RBAC user with custom permissions
Minimum Version
Kong Gateway - 3.4
TL;DR

After enabling RBAC, you can create a Super Admin user by issuing a POST request to the /rbac/users/ endpoint. Then associate the user to the super-admin role.

Prerequisites

Kong Gateway running with RBAC enabled

This tutorial requires Kong Gateway Enterprise.

  1. Export your license to an environment variable:

    export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script with RBAC enabled:

    curl -Ls get.konghq.com/quickstart | bash -s -- -e "KONG_LICENSE_DATA" \
  -e "KONG_ENFORCE_RBAC=on" \
  -e "KONG_ADMIN_GUI_AUTH=basic-auth" \
  -e "KONG_PASSWORD=kong" \
  -e 'KONG_ADMIN_GUI_SESSION_CONF={"secret":"kong", "cookie_lifetime":300000, "cookie_renew":200000, "cookie_name":"kong_cookie", "cookie_secure":false, "cookie_samesite": "off"}'

    For more information about the values see the RBAC reference. Once Kong Gateway is ready, you will see the following message:

    Kong Gateway Ready

Create the super-admin RBAC user

  1. Create an RBAC user: 

     curl -X POST "http://localhost:8001/rbac/users" \
     -H "Accept: application/json"\
     -H "Content-Type: application/json"\
     -H "Kong-Admin-Token: $KONG_ADMIN_TOKEN" \
     --json '{
       "name": "'$ADMIN_NAME'",
       "user_token": "'$USER_TOKEN'"
     }'

  2. Associate the user to the super-admin role:

     curl -X POST "http://localhost:8001/rbac/users/$ADMIN_NAME/roles" \
     -H "Accept: application/json"\
     -H "Content-Type: application/json"\
     -H "Kong-Admin-Token: $KONG_ADMIN_TOKEN" \
     --json '{
       "roles": "super-admin"
     }'

Validate

You can validate that the super-admin role was correctly assigned to the RBAC user using the /rbac/users/{user}/roles endpoint:

 curl "http://localhost:8001/rbac/users/$ADMIN_NAME/roles" \
     -H "Kong-Admin-Token: $KONG_ADMIN_TOKEN"

If this was configured correctly the response body will look like this:

{
	"user": {
		"enabled": true,
		"updated_at": 1737490456,
		"comment": null,
		"id": "49a1d4e5-e306-4b2d-a343-8973afd1360d",
		"created_at": 1737490456,
		"user_token_ident": "40a46",
		"name": "tim",
		"user_token": "$2b$09$578ORHJCMmpvDTVbB6hDkeIDsXZkUcgBQRemXdrwH2ex8IYBKWSE."
	},
	"roles": [
		{
			"created_at": 1737488148,
			"role_source": "local",
			"name": "super-admin",
			"updated_at": 1737488148,
			"ws_id": "fcde03f2-738e-4b29-a63e-fe0cdcc9a76e",
			"comment": "Full access to all endpoints, across all workspaces",
			"id": "3d7d7bfc-b894-4d9f-b28f-c9396bce201a"
		}
	]
}

You can see that the RBAC role assigned to the user is super-admin.

Cleanup

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d

Did this doc help?

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support