Yeah, the issue is that we have a key person dependency - when someone generates an API key, it's tied to their Azure AD account they used to login to Rancher. I've tried using an SP to auth into Rancher to generate a Rancher API key, but there doesn't seem to be any support for using SPs in this way (this is not surprising either)