Is it possible to use the Rancher CLI (or API) knowing only the username and password (after access control has been enabled) vs. the access and secret keys?
The docs seem to require possession of the keys, which can be obtained only prior to enabling access control or require going through the UI. Unfortunately, these don’t play well with creating an idempotent setup process.
No; You could make an argument for this for local auth, but for the others there either is no username/password in the first place (github, saml) or it’s probably an important password to other systems that shouldn’t be written to config files in plaintext (ldap, activedirectory).
The UI is 100% static html/js/css, anything it does can be by definition done through the API. We don’t really document the token auth for UI session because most people have no use for it, but if you really want to create an API key given a username/password you post them to /v2-beta/token endpoint and can then use that to authenticate creating an apikey.