You need the Kibana plugin, you should make an HTTP call to the Kibana POST /login endpoint (with username and password), obtain the cookie in the response header, and then inject the iframe code in the page.
The alternative is modifying the Kibana plugin for reading credentials from the query parameters in the iframe embed code, which a) is not handy because you should edit manually each Kibana embed code. And b) you’d be copy-pasting around credentials.
Another option would be to implement an ACL in the Kibana plugin too, which is something that me and @ld57 have been talking about recently. This would unlock: user-specific url redirects and public url passthrough (like this).