This message was deleted.

Possibly so, but the familiar pattern to me would be the Azure Service Principle having permission to read the Rancher API credential in secret store/vault.

Yeah, the issue is that we have a key person dependency - when someone generates an API key, it's tied to their Azure AD account they used to login to Rancher. I've tried using an SP to auth into Rancher to generate a Rancher API key, but there doesn't seem to be any support for using SPs in this way (this is not surprising either)