Forwarding API call from master to region

Hello. I’d like to hear some feedback on this issue from experienced people.

We expose an custom API as POST /api/automation_requests with {uri_parts: {namespace: '...', class: '...', instance: '...'}}. There is a need to forward this call from master to region.
I am using a predefined user, and it is all working nice. But now for region call I want to use the same user (I mean user with the same name), that is calling master. I can get userid, but I cannot get password from automate.

I see several options:

  1. Use the predefined service user, pass calling userid as an attribute and solve all autorization manually in automate.
  2. Use the predefined service user and solve all autorization manually already in master region.
  3. Patch MiqAeServiceUser to expose password_digest and decrypt it.

What do you think it is the best choice?