Harbor 2.10 Robot Accounts
A project robot account authenticates to your Harbor instance using a secret. Robot Accounts cannot log in to the Harbor UI, but can be used to
- connect to the Docker Registry using the docker command or any OCI client
- connect to the Helm chart repository using the helm command
- connect to the Harbor API for any other automation tasks
- Create Robot Account
- Edit, Deactivate, or Delete a Project Robot Account
- Refresh Project Robot Account Secret
- Authenticate with a Project Robot Account
Create Robot Account
The robot Account can be created by a Project Admin in the Harbor project console.
Go to Projects in Harbor, select your Project and switch to the tab named "Robot Accounts":
Click + NEW ROBOT USER and enter the following details (adjust as needed):
Field | Remark |
|---|---|
Name | The final robot name will consist out of the fixed prefix "doaas-", the project key and the name you have chosen here |
Description | Short description of robot user purpose |
Expiration time | Number of days the robot account is valid, -1 for Never Expires |
Click on NEXT to choose the appropriate project permission (remember to follow the principle of the least privilege):
As a minimum, one permission should be chosen to create the robot account.
In the most cases, pull and push permissions are sufficient for the standard use cases like using the robot account for docker push and docker pull.
The Push Repository permission must be assigned with the Pull Repository permission. You are not able to assign the Push Repository permission by itself.
After choosing the permissions, click FINISH:
You need to click copy secret or export secret to file to be able to finalize the robot account creation. Store the secret only in safe places like an encrypted KeePassXC password database.
Harbor does not store robot secret tokens, so you must either download the secret or copy it now! There is no way to get the secret from Harbor after you have created the robot account. However, you are able to refresh the secret after the robot account is created. That means you can get a new secret for an existing robot account.
Edit, Deactivate, or Delete a Project Robot Account
You are able to edit, deactivate, or delete a project robot account.
- From a project’s Robot Account page, select the checkbox next to the robot account you are updating.
- Select Action and then Edit, Deactivate, or Delete.
Deactivated robot account can be reactivated at any time and will use the old secret without the need to update it. Additionally, project permissions can be changed at any time.
Refresh Project Robot Account Secret
You can refresh a robot account’s secret after it's created in the event that you need a new one.
On the Robot Account page, select the checkbox next to the robot account you are updating.
Select Action and then Refresh Secret.
By default, Harbor will generate a new secret randomly. As an alternative, you can choose to enable manually specifying the secret, then enter it and click Confirm Secret. Optionally, you can view the hidden secret by clicking the eye icon.
Authenticate with a Project Robot Account
To use a robot account in an automated process, use docker login and provide the credentials of the robot account before you issues additional commands like docker pull or docker push.
Username: <prefix><project_name>+<account_name>
Password: <secret>
Be cautious about the robot account name, it can be misinterpreted by the command line if, for example, the name contains a $ sign!
When done working with the robot account, you can use docker logout to remove cached credentials from the file-system where your docker commands are executed.
See https://goharbor.io/docs/2.10.0/working-with-projects/project-configuration/create-robot-accounts/ for additional information.