Skip to Content

Harbor 2.7 CLI Credentials for Harbor users

Last modified by DevOps-as-a-Service Operator on 2025/02/05 11:33

A user can connect the harbor instance programmatically ONLY using generated CLI secret. The password used to log in to the DevOps toolchain will not work. The options to connect to:

  • connect to the Docker Registry using the docker command or any OCI client
  • connect to the Helm chart repository using the helm command
Information
ℹ CI/CD

This page is about your personal account only. Do not use your personal CLI secret in a delivery pipeline.

The DevOps Portal will automatically create a Robot Account for each Project and inject the credentials automatically into Jenkins. See Automatically provided Credentials for more details.

Create CLI secret

The CLI secret can be created by any user from the Harbor User Interface. At first, login to your harbor instance using Keycloak (LOGIN VIA OIDC PROVIDER):

Screenshot 2024-02-27 180550.png

In the upper right corner, click on your username field and then click User Profile:

Screenshot 2024-02-27 180805.png

You will be prompted to the profile overview, where the CLI Secret can be found:

Screenshot 2024-02-27 181245.png

Description of the fields:

Field

Remark

Username

The automatically setup username which will be used for docker login etc.

Email

Your email. Can't be changed (even if it looks like you can, it won't)

CLI Secret

The automatically generated secret for command line interfaces. Used instead of password.

Use the copy icon on the right to copy the CLI secret and use it for authentication.

Authenticate with a CLI Secret

To use a secret in an automated process, use docker login and provide the credentials like username and CLI secret (for password) before you issue additional commands like docker pull or docker push.

docker login registry-CUSTOMER.devops.t-systems.net
Username: <username>
Password: <cli_secret>
docker pull registry-CUSTOMER.devops.t-systems.net/PKEY/REPO:TAG

See the following table to understand the structure of the arguments.

Placeholder

Description

CUSTOMER

Name of your DevOps-as-a-Service instance

PKEY

Project Key of the Project like on the Portal

REPO

The image repository, e.g. 

tomcat

TAG

The tag of the image, e.g. 

latest

For pulling from a repository, you need at least a VIEWER role. For pushing, you require at least a DEVELOPER role for the affected project.

When done working, you can use docker logout to remove cached credentials from the file-system where your docker commands are executed.

Information
ℹ SECRET EXPIRATION

Your CLI secret in Harbor can expire if you don't log in to your account, due to the offline_access idle time set by Keycloak, which is 30 days. When this happens, you can see 'unauthorized: authentication required' message. This means you need to log in to Harbor at least once every 30 days to keep your CLI secret active. To avoid any disruptions, we recommend updating your CLI secret in your Harbor profile settings regularly.

Update/Set Custom CLI Secret

You can refresh a CLI secret after it's created in the event that you need a new one.

For that you will need again go to your user profile and click the three dots on the right-hand side:

Screenshot 2024-02-27 181748.png

You will be prompted to update interface:

Screenshot 2024-02-29 173222.png

From here you can GENERATE SECRET and copy it or click UPLOAD YOUR OWN SECRET and use a predefined one:

image-2024-2-29_17-39-21.png

© 2018-2025 T-Systems International GmbH