Service Account management and token generation

To give CI/CD access to kubernetes clusters, I want to have a service account per Project, which has access to manage resources within said project. Then I can use a token for that service account to let my CI/CD tooling run kubectl against the cluster and manage resources.

The question I have is: how can I manage this properly with Rancher? The UI/API does not have a specific way of managing Service Accounts. My idea was to just create Rancher Users and assign a Project Role to them. However, that leaves me with no way of generating tokens for those users without logging in to those users individually and clicking around a bunch of times.

I’m managing Rancher with Terraform and generating random passwords for all these Users. I’d rather not generate anything manually.

What is the suggested way of doing something like this? The documentation does not seem to take anything but humans as being Users. How can this approach accommodate automation?