#Create ONTAP API Key for specific volume's snapshots

I want to write a script that does CRUD for a specific volume's snaphots for a specific individual, so he has access to his volume but not everything else on the Netapp.
I created a role will all access to the /api/storage/volumes/{voluuid}/snapshots endpoint, but i dont know how to create a token/key that matches the role privileges i gave to use in scripts or other automations.

I’m interested as well. Is this even a capability?

I don't think ONTAP has the functionality of API keys. I believe this is the process:

1. Create User (AD, ONTAP, whatever...)
2. Create Role
3. Assign Role to User
4. User uses credentials to authenticate.

Let me check something in a lab...

Yea, that's what I'm seeing.

Isn't this what you're looking for?
https://docs.netapp.com/us-en/ontap/authentication/overview-oauth2.html

came with ONTAP 9.14.1:

OAuth 2.0 Authorization Framework
The Open Authorization (OAuth 2.0) framework is added and provides token-based authentication for ONTAP REST API clients. This enables more secure management and administration of the ONTAP clusters using automation workflows powered by REST API scripts or Ansible. The standard OAuth 2.0 features are supported, including issuer, audience, local validation, remote introspection, remote user claim, and proxy support. Client authorization can be configured using self-contained OAuth 2.0 scopes or by mapping the local ONTAP users. Supported Identity Providers (IdP) include Auth0 and Keycloak using multiple concurrent servers.

Enhancements to OAuth 2.0 support
ONTAP 9.14.1 extends the core token-based authentication and OAuth 2.0 support initially provided with ONTAP 9.14.0. Authorization can be configured using Active Directory or LDAP with group-to-role mapping. Sender-constrained access tokens are also supported and secured based on Mutual TLS (mTLS). In addition to Auth0 and Keycloak, Microsoft Windows Active Directory Federation Service (ADFS) is supported as an Identity Provider (IdP).

im running 9.11 atm, but i guess it would allow to create a token for use in scripts without having manual authentication.
i chose to go with the ssh publickey method in my case, created a role, a user with that role and added an ssh .pub key to that svm scoped user. but im still not sure how id actually use the ssh key in my requests, thats still not entirely clear to me

i need some sort of authentication that can be used in a script and automations and im not sure how to do that in ONTAP rest

ok so i created a user, a role with privileges for a specific volume's snapshots access all, but when i try and use basic auth and the credentials i get a 401.
i know the password i set when creating the user through the rest api is correct because when i tried reseting it in the ontap cli it gave me an error saying the pasword has to be different from the old one... not sure where i went wrong but id like some help, maybe if someone can hop on a call real quick and go through what i did

this is how i created my custom role in a post request. when i used the default admin role the requests were fine, so the user/pass creds arent the issue.
not sure where i went wrong here, but if anyone is familiar with this api id appreciate the help

{
  "name": "test-role",
  "owner.uuid":"{{svm-nas01-uuid}}",
  "privileges":[
    {
    "access":"all",
    "path": "/api/storage/volumes/{{Test-vol-uuid}}/snapshots"
    }
  ]
}